Defending The Perimeter When It Is Everywhere: Thinking About Grid Cybersecurity
- Posted on September 20, 2018
- 393 views
Connecticut’s just-released (September 17, 2018) Critical Infrastructure 2018 Report makes for sober reading. Four of the state’s electric, gas, and water utilities reported that on a single day, they may see over one million “distinct probes” aimed at compromising their systems. Some of these attempts emanate from private actors, but many come from “powerful nation states.”
Connecticut’s responsible officials and utilities agreed that “the potential ramifications of loss of utility service to Connecticut are not well understood” but “loss of electricity, natural gas, or water, especially on a regional scale, for more than two weeks would present unprecedented upheaval and possible suffering…”
The utilities acknowledged that one of the growing challenges was the Internet of Things, which “proliferates the number of ways a company can be hacked and penetrated and offers more platforms to attack.” They warn, “IoT devices often fall outside of established, traditional vulnerability scanning and security patching for computers and network devices. The companies also noted their dependence on cable and broadband companies – a dependence that grows daily as more connected devices are added to the grid – and suggested they be brought into the annual review process as well.
To get a sense of just how quickly we are migrating to a world full of utility-connected devices, one need only look at Hawaii and California. Hawaiian Electric Company’s (HECO) $205 million Grid Modernization Plan observes:
“The Companies continue to lead the nation in the integration of customer-sited private solar, with the highest percentage of customers with solar of any utility in the country. More than 15 percent of total customers – including an estimated 26 percent of single-family homes – had private solar in place by the end of 2016…”
Two sentences in that Plan stand out in particular: ”The Companies realize that meeting customers’ needs and achieving Hawai‘i’s clean energy goals is not possible with the current grid. In other words, the grid we have is not the grid we need. (author’s italics)
Meanwhile, California utilities already host over 7,000 MW of net energy metered solar, with over 850,000 projects to date. Each of those devices represents a potential attack vector.
In fact, the entire grid of the future will be imbued with a much higher level of intelligence and ‘situational awareness.’ HECO’s plan states that its future grid will contain a host of new and smart devices, including advanced inverters, voltage management tools, sensors, and automated controls. It will also involve “expansion of a communication network enabling greater operational visibility and efficient coordination of distributed resources.”
Such a digitally advanced and highly connected grid has the potential to become super-efficient. If we are not extremely diligent in our efforts, though, it could also be increasingly vulnerable to cyberattacks.
Thinking about cybersecurity in the emerging smart grid
As we connect assets across the grid - from the bulk system to the outer grid edge - it will be essential to develop a best-practices approach to cybersecurity. Several issues should be considered:
- Real-time, or near real-time, visibility of all grid-connected assets (that are potentially capable of being hacked) is critically important for safe operation of the grid.
- It should be assumed adversaries are continuously probing and reconnoitering the electric system in search of weakest links, locating possible points of intrusion and identifying potential capabilities to do harm. As the Connecticut report stated, we already see this in practice on a daily basis.
- As we saw in the brief 12-month interval between the winter 2015 and 2016 CRASHOVERRIDE cyber attacks on the Ukrainian grid, hacker capabilities are constantly improving, creating increasingly leveraged attack capabilities that can now assault multiple targets simultaneously. We should take as a given these capabilities will continue to evolve for both state and non-state actors.
- We should assume hackers have already penetrated multiple U.S. utility networks and are currently in a preparatory reconnaissance mode.
- Networks of connected Internet of Things assets, able to deliver or consume energy, could considerably damage the grid if hacked, coordinated, and aggregated. The risk of instability and disruption potentially extends beyond the distribution utility level to the bulk power system. This would especially be the case if an extensive automated attack were to be simultaneously targeted across multiple devices.
An increasing level of vulnerability
As Pacific Northwest National Laboratory (PNNL) notes in its recent paper ‘Defending the Grid from IoT’, it’s not that we don’t know about the vulnerabilities from these newly connected devices potentially creating new portals for hacker entry into our systems. Rather, it’s that these connected devices could themselves be used to destabilize the grid by consuming or releasing energy instantaneously into the grid at a hacker’s command.
As PNNL observes: “The grid involves two forms of connectivity: one is the traditional information connectivity…and the other is electrical power connectivity. This dual connectivity is the source of electric grid operational cyber vulnerabilities that are more complex than ordinary information system vulnerabilities.”
So how might such an attack take place? PNNL describes a potential scenario in which demand response (DR) aggregators are compromised and - based on a signal or set time - multiple connected DR assets are synchronized to unexpectedly change behavior. This could result in significant voltage fluctuations and volatility that trips protective systems.
Or imagine a near future-state world where we have true bidirectional vehicle-to-grid integration with electric buses and passenger vehicles with battery packs holding 300 kWh and 100 kWh respectively. Upon a signal, hundreds or thousands of these connected vehicles could be manipulated to draw power from – or release power to – the grid, resulting in significant potential for system destabilization.
Sandia National Laboratory has also evaluated these issues noting gaps from both security and policy perspectives, and the critical need for better authentication protocols (who can talk to each device) and integrity of communications. In particular, the report cites the fact that many of these distributed devices in the residential and small commercial sector are connected to commercial Internet service providers “out of the control of the utility and any of its normal security mechanisms… From the electric utility’s perspective, services provided by a commercial communications carrier are not guaranteed from a reliability and availability perspective.”
Sandia articulates the concern that while policies have been put in place to accelerate deployment of distributed assets on the electric grid, commensurate steps related to cybersecurity have lagged well behind. Finally it warns that, “a coordinated effort among stakeholders—the nation’s utilities, state public utility commissions (PUCs), distributed-generation control hardware and software vendors, and communications providers—does not exist to address the growing attack surface.”
What to do?
A first step is to truly recognize the potential security implications of the changing nature of the electrical grid and focus on creating a coordinated approach among the various affected actors, with sufficient resources to do the job.
The next step may be to reconsider the existing architecture. As the PNNL report indicates, there are ways to modify grid structures that limit damage and create more opportunity for a resilient response. This might include creating the ability to better partition off the compromised elements, an approach that may include microgrids and feeder-level areas, distributing intelligence and control, so that single point-of-failure assaults are unsuccessful.
It will also involve developing communications “network structures that have inherent path redundancy and network segment isolation capability” and creating additional hardened communications capabilities.
The reality is that, as the grid becomes more distributed, the potential attack surface grows considerably. As a result, we must take deliberate steps to identify vulnerabilities, harden assets where possible – especially the communications channels for connected assets – and develop strategies to improve our resiliency. We really don’t have much of a choice.