The cyber threat: What utilities need to know

Engerati speaks with the Electric Power Research Institute about the top threats facing utilities and what they should be doing to mitigate risk and improve cyber security.
Published: Tue 16 Jul 2019

Monitoring utility progress in building cyber security programmes is tricky, because information about protection systems is by necessity tightly controlled. The research and development initiatives of US-based Electric Power Research Institute (EPRI), which recently opened a division in Dublin, seek to enhance collaboration in this sensitive area and to bridge the knowledge gap between the traditional utility world and the emerging digital system.

EPRI’s Cyber Security Research Lab (CSRL) in Tennessee has more than $2.5 million worth of hardware, software, and other equipment configured to support multiple supervisory control and data acquisition (SCADA) protocols. The institute’s cyber security programme helps utility members to mitigate risks to legacy and next-generation systems, promote grid resiliency, improve security, effectively evaluate security program processes and technologies and benchmark to their peers.

Engerati speaks with Galen Rasche, senior program manager for cyber security. Save the date: A webinar on the topic will be scheduled for 5th September.

 

E: What kind of threats are utilities facing?

GR: From deliberate attacks to inadvertent threats and natural phenomena, utilities face a number of cyber security threats.

The most obvious category of threats, and the one that often dominates the headlines, is the deliberate cyber attack. We have worked to address the risks from state and industrial espionage as well as from disgruntled employees and organized crime. While less well known, inadvertent threats and natural disasters, such as equipment failure, user errors, floods, solar activities, and others represent a real threat and are part of our ongoing mitigation efforts.

 

E: Why do distributed energy resources (DER) pose a greater threat of cyber security?

GR: Since DER devices can increase the attack surface of the grid, we need to ensure that they are designed properly to reduce potential cyber security risks.  EPRI has identified three key challenges in DER security:

·         Lack of network security standard for DER communication:

o    Today many integrators and utilities independently select the network gateway architecture facilitating secure communication between the smart inverter and the external network. This approach allows an installer or integrator to connect multiple smart inverters using existing local networks, such as wireless networks at homes, shopping malls, and schools, and possibly communicate in plain text—a threat vector that could be more effectively mitigated by implementing an industry standard. 
 

·         Lack of Cloud security standard for DER management:

o    While the Cloud has effectively served utility IT needs for more than a decade, its use is less prevalent in utility Operational Technology (OT) applications. Cyber security enhancements are important to smart inverter integration given that aggregators and inverter manufacturers often use the Cloud as their primary control system platform.
 

·         Limited visibility into cyber security vulnerabilities of deployed DER:

o    Some of the existing deployments of operational digital assets and DER are communicating today, with even greater connectivity expected in the future. Some assets will connect directly with utilities, while others will communicate through third parties and in the Cloud. It is important to understand potential cyber security vulnerabilities related to the hardware, protocol, management system, aggregator, and Cloud providers, as well the supply chain.

 

E: What do digital/IT officers at utilities need to be aware of when initiating digital projects?

GR: Security must be integrated into every stage of the system development lifecycle.  However, even with a completely integrated security approach it must be assumed that some security controls will fail or be bypassed at some point in time. Therefore, a utility digital or IT officer should implement a “defense-in-depth” strategy that includes multiple layers of protective controls as well as strong detection, response, and recovery capabilities tailored to the unique operating environment of their OT systems.       

To do this effectively, digital/IT officers must understand the differences between IT and OT systems.  For example, there are often difference in core security objectives.  For IT systems, confidentiality and integrity are typically the major objectives.  However, for OT systems, availability and integrity are the primary objectives.  This is because timing and availability constraints in control systems are critical to their operation and there may be safety implications if they are not met.  Also, the devices used in an OT environment may include legacy systems and embedded devices with limited bandwidth and processing capabilities. 

These constraints may reduce the options that are available for implementing security controls.  The difference in system lifetime needs to be accounted for as well.  While the IT system life cycle varies from six months to two years, OT systems can be in the field for 15 to 40 years.  Additionally, basic security processes such as patching may need to be adapted, but the timing varies drastically with IT systems, a “Patch Tuesday” cycle may be common for endpoints while the patch cycle for OT systems can be up to two years or during scheduled maintenance cycles.   

 

E: What is Transport Layer Security and what are the implications of getting it wrong?

GR: At a high level, Transport Layer Security (TLS) is a commonly used protocol for providing authentication, confidentiality, and data integrity between two systems that are communicating across a network.  However, it can provide a false sense of security if it is implemented incorrectly. 

For example, the Heartbleed security bug disclosed in 2014 revealed a critical vulnerability in a version of the OpenSSL library that was used by many TLS implementations.  In this case, a buffer overread vulnerability was discovered that would allow an attacker to access chunks of memory that likely had been used by OpenSSL.  The attack could potentially reveal very sensitive data such as session cookies and passwords. 

Additionally, mistakes in configuring the TLS protocol can reduce its security.  EPRI has developed a video that provides background on TLS and what can happen if it is implemented incorrectly.   

https://www.youtube.com/watch?v=ukDcdRDFkh4 

 

E: What is the EPRI cyber security procurement methodology?

GR: The EPRI cyber security procurement methodology introduces a supply chain model to establish common understanding among all parties in the supply chain and integrates the EPRI Technical Assessment Methodology (TAM) guidance to assist in the development of target asset and supply chain integrity cyber security requirements.

This research provides step-by-step guidance for utilities to assess cyber security measures based on risk. The approach involves considering potential security breaches, their likelihood, and the consequences (such as radiological release, outages, and reputation damage) and then prioritizing mitigations.  This methodology enables development of cyber security procurement specifications for a target asset by providing a clear division of responsibility between the buyer and supplier using a graded approach, as well as development of supply chain integrity specifications while a target asset is in a supply chain segment or in transition. 

For more information about these and our other cyber security programs please visit www.epri.com