Grid operators need a revised cybersecurity strategy in the IoT era

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

A control panel from the pre-digital era (1970s) in the Dounreay nuclear experimental research facility, Scotland. [byronv2 / Flickr]

Cybersecurity threats invade the minds of electricity grid managers on a constant basis, and for good reason, writes Neil Strother.

Neil Strother is a principal research analyst with Navigant Research. His latest report examines the cybersecurity threats challenging utilities and other enterprises deploying Internet of Things (IoT) technologies.

A cyber attack recently shut down a power plant, believed to be in Saudi Arabia. Furthermore, exploratory cyber attacks against energy networks in the Baltic states have officials around the EU deeply concerned. Moreover, a recent wave of cyber attacks aimed at the European and North American energy sectors has surfaced as well, keeping the threat top of mind.

The situation in Europe is particularly troubling. Companies in the EU take three times longer than the global average to detect a cyber intrusion, according to FireEye, an enterprise-level cybersecurity solution provider.

With more devices like smart meters and PV systems being installed and linked to energy grids, cybersecurity threats show no signs of lessening. These devices, part of the Internet of Things (IoT) megatrend, provide bad actors with more vectors—or surfaces as experts like to call them—from which to launch an attack.

Few, if any, experts suggest that an attack on a single smart meter could take down an electrical grid, but that commandeering a few such devices, or the systems connecting such devices, poses a more realistic threat.

However, the danger does not have to come from newer connected or smart IoT devices.

In May 2017, nuclear power stations in the US faced cyber attacks that triggered federal authorities to issue an urgent report that included the second-highest rating level for the sensitivity of the threat. The hackers targeted computers at the power stations, but their malicious code did not make the jump from the infected computers into control systems at the facilities, and by all reports, the attacks were countered. Nonetheless, power plants remain a highly valued target of cybercriminals.

While not a direct result, the Trump administration did issue an executive order to strengthen the security of national networks and critical infrastructure in the weeks following the attacks on the nuclear facilities. The order required federal agencies to use the National Institute of Standards and Technology’s cybersecurity framework, which up until then had only been implemented on a voluntary basis.

In the UK and Ireland, cybersecurity officials warned of hackers targeting energy sector facilities in July 2017, noting some industrial control systems were likely to have been compromised.

The warning came from a document produced by the National Cyber Security Centre, which is part of the UK’s Government Communications Headquarters, an intelligence and security organisation. The targeting did not result in any known damage to facilities, but one industrial security expert, Robert M. Lee, founder and chief executive of cybersecurity firm Dragos, says targeting of civilian infrastructure is only increasing and becoming more worrisome.

New approaches to thwarting threats

Given the sensitive nature of cyber attacks and the growing threats from an increasing number of connected devices and systems, grid managers have a reluctance to discuss their approach to thwarting the bad actors.

Even so, one organisation setting the pace has been the Tennessee Valley Authority (TVA), a US corporate agency providing electricity to local power companies serving 9 million people in parts of seven states. TVA cybersecurity experts employ a multi-tiered approach: as billions of events enter TVA’s extensive system, these are automatically parsed using correlation tools and data filtering capabilities to find and escalate the most serious ones; once identified, the most perilous threats get turned over to a security analyst who digs into the details and blocks the intrusion.

TVA and other organisations have also been moving from traditional, reactive approaches to more proactive ones. For instance, with some of the latest tools for analysing big data and automation, organisations can detect threats to devices and systems ahead of time and more readily take preemptive actions.

Increased use of behavioral analytics is one such tool used to spot anomalies that could represent a threat to a system, allowing for self-protecting measures to take hold and reducing or eliminating the vulnerability. Much of this approach is still early stage, but it does provide some hope.

Regulators playing catch up

From a regulatory standpoint, most officials have been playing catch up to cybercriminals and nation states who do not play by the rules, making efforts to hinder the bad actors somewhat fruitless—at least in the near-term.

The rules and standards have a difficult time keeping pace with hackers’ ability to leverage the latest technology. However, regulators can promote laws that support grid operators and other market stakeholders who aim to keep their systems safe, with the hope that—over time—legitimate products and technologies will emerge with the necessary protections to keep grids safe with an acceptable level of risk.

Adopt a proactive strategy in face of threats

2018 appears to be another challenging year for those preventing cyber attacks. Experts warn that state-sponsored attacks are likely to increase and attacks against IoT devices will worsen.

Despite a grim future, energy grid managers can and should adopt a robust strategy to protect their assets. They should implement a multi-tiered approach similar to TVA’s, and move toward more proactive tools and processes to counter threats.

Energy grid managers should appoint a team to execute cybersecurity strategy, focusing on hardware, software, and human threats in an integrated fashion. When skills are lacking, they should promote enhanced training for these team members so they can stay current on the best practices for stopping threats.

And finally, the strategy in this ongoing battle should be flexible so it can evolve as the bad actors continually improve their devious, clever methods.

Subscribe to our newsletters