How should utility infrastructure be protected? The digital world presents new pressing challenges in the cyber realm, in addition to physical security
Cyberattacks on smart grids can disrupt the entire power sector. The risk of cyberthreats extends to all interconnected components across the generation, transmission and distribution channels. Being constantly connected to the internet, a smart grid can be exploited by hackers. Cyberattacks such as sniffing, eavesdropping, spoofing and injecting malicious data into the grid can cause damages ranging from minor power cuts to a major grid collapse. Smart grid security is crucial to providing uninterrupted power supply and minimising losses due to power cuts. To maintain a secure smart grid, utilities the world over are taking initiatives such as implementing a multilayered security mechanism, running awareness and training programmes, and conducting cyber risk assessment studies. Apart from this, they are exploring emerging technologies such as blockchain for enhancing grid security.
Types of cyberattacks
Among the most common cyberattacks on smart grids are sniffing and eavesdropping. This is done by hackers to steal information or acquire the technical specifications of a network. Such information could be used to craft further attacks, or achieve any other objective. Denial of service (DoS) is another smart grid cyberattack, which penetrates into the underlying communication and computational infrastructure, and renders the resources temporarily unavailable. In yet another type of cyberattack, malicious data is injected into the grid. In the process, attackers may leverage the vulnerabilities in the configuration of a smart grid infrastructure and inject malicious data that will misrepresent the state estimation process. Through this, attackers can not only change the results of state estimation, but also modify the results in a predicted way. In spoofing, a malicious party impersonates another device or user on a network. Successful spoofing attacks may result in incorrect calculation of clock offsets, leading to erroneous estimates of the actual power load. Meanwhile, high-level application attacks on any component in the system will cause unexpected physical damages. These applications provide an interface for communicating with the physical infrastructure such as management consoles and end-user web portals. The attacks impact power flow measurement, state estimation, energy management, etc. in smart grids.
Cyberattacks on the distribution system
Consumer meters are most vulnerable to cyberattacks. An adversary can penetrate into smart metering infrastructure connected at consumers’ end and send fake energy usage signals to the control centre. Besides this, in the absence of robust authentication and encryption at the head-end system (HES), an attacker can tamper with the meter data management system (MDMS) and send unauthorised signals to the meters. On the net metering front, end-consumers can tinker with the net energy usage data sent to the utility’s control centre by hacking into the communication network. Further, by way of a cyberattack, the consumers can reduce these electricity bills or even earn credits even without selling electricity to the grid.
On the communication network front, technologies such as wireless local area network (WLAN), ZigBee, radio frequency (RF) mesh, WiMax, WiFi and PLC, used in AMI are vulnerable to cyberattacks that could lead to eavesdropping and session hijacking attacks. Besides, even mobile communications are generally unprotected mediums and could reveal energy consumption data and prove susceptible to privacy invasion. Apart from this, an adversary can hijack the virtual private network (VPN) of utilities. Such an attack manages to infect the control centre LAN, and supervisory control and data acquisition.
Maintaining a secure smart grid
One of the key objectives of undertaking cybersecurity in a smart grid is to maintain data and system confidentiality. Data privacy and consumer protection remain the top concerns for distribution utilities as well as consumers. Utilities and third-party service providers aggregate energy usage data of different consumers for better demand forecast and peak load management. Smart meters installed at consumers’ end exchange information with the home area network (HAN) or building area network (BAN) regarding the data usage of consumers and send control signals to the smart appliances installed on the consumers’ premises.
These networks, however, may be vulnerable to data leakage or eavesdropping that could reveal the activities of consumers and other sensitive information. Cybersecurity measures are required to prevent unauthorised access to secured information such as power usage, price and control commands. With access to such information customers’ privacy can be invaded. Meanwhile, for industrial and commercial consumers, such data leakages can reveal highly sensitive information, for example the technologies used, the manufacturing output, sales events, etc. Besides this, cybersecurity measures are required to prevent any modification of critical information pertaining to sensory devices, electronic equipment, software and control commands that might disrupt the decision-making capability and corrupt the data exchange of the smart grid. Further, robust cybersecurity measures could help in resuming services in case of DoS attacks and distributed DoS attacks.
One of the emerging solutions for maintaining grid safety is developing a smart energy management system based on blockchain. Blockchain is a distributed data processing technology that enables all users participating in the network to distribute and store data. Applying blockchain technology to smart grid will ensure secure management of energy data, and contribute to the development of the future smart energy industry. The primary initiatives to protect smart grids against cyberattacks include enhancing defence capabilities to mitigate the possibility of an attack. The traditionally proven defence-in-depth principle can be adopted, in which multiple layers of security controls are put in place. Under this, the risk is distributed across various layers so that if one layer of defence is penetrated, the other layer prevents further damage.
Another security measure against cyberattacks is cybersecurity risk assessment. This involves evaluating various information assets to identify the underlying vulnerabilities and threats. In addition, there is a need to create awareness and undertake training programmes to maintain grid safety. Effective training programmes need to be designed based on individual roles and responsibilities. Incident response is another vital aspect of protecting smart grids from cyberattacks. In the absence of an effective incident management plan, an incident can completely disrupt vital business functions.
So, what are the biggest concerns surrounding the utility sector when it comes to cybersecurity? We catch up with Graham Park, Software Engineer at Virtual Peaker who has been heavily involved in cybersecurity issues for years.
How do you know utility customer data won’t get hacked? And what can we do to protect critical infrastructure?
No security system, whether it’s in the cloud or hosted in your own data centre, is 100% immune from compromise. Regardless of how mature your cloud security is, it’s best to always think of it as a work in progress. That’s because new threat actors emerge, testing out new tricks, and we have to be ready. The best protection is to constantly sharpen security systems and continually educate employees.
Here are some concrete steps to take:
- Follow industry best practices. There’s a lot to be learned from the shared experiences of the security community.
- Catch mistakes before they’re exploited. Hire penetration testing teams to regularly flag issues with your applications, and set up automated scanning of your code and infrastructure to detect common security mistakes before they become a problem.
- Invest in detection. Some reports suggest that 200 days is the average time it takes to detect a data breach. A lot of damage can be done in more than half a year, so the faster you detect and respond to an attack, the more likely it is you’ll be able to prevent or limit serious damage.
- Create a culture focused on security. As the old saying goes, the strongest lock doesn’t matter if someone hands over the keys. At Virtual Peaker, we’ve found that short trainings every month work best. They’re brief enough to engage employees yet happen often enough to ensure that security is always top of mind. Because phishing is consistently ranked as the top reason for security breaches, it’s critical that security training includes phishing simulations so team members don’t get fooled.
Of course, security starts—or ends—at the highest levels of every organisation, so it’s critical for leaders to stress the importance of remaining vigilant and focused.
The pandemic has shifted work habits and social distancing/working from home as the new normal for many. How can utility employees work remotely and safely?
The cloud doesn’t care whether your access point is the office or a spare bedroom at home—the same best practices for security listed above still apply. Make sure to always lock your devices when you walk away and never leave them unattended in public. Only connect using your company VPN if you have one.
Think before you click, regardless of your location. Phishing scams are on the rise during the pandemic, so if something seems a little off, delete it or first confirm with your security department that it’s okay to proceed. In the pre-pandemic world, if you received a suspicious email claiming to be from a colleague, you could walk down the hall to make sure. When working from home, reach out through a different communication channel —Slack, text, voice, etc.— to make sure the communication is legit before opening it.
It’s also important to take steps so you don’t inadvertently disclose company information. Make sure to dispose of all confidential documents securely, and to think about who might be within earshot before discussing confidential business information over the phone or who might be able to look over your shoulder and watch you enter passwords or pull up confidential data. And of course, it’s critical to use strong passwords and multi-factor authentication.
What should utilities look for to make sure vendors are legitimate when it comes to cybersecurity?
I think a lot of the things we’ve talked about can be applied when considering vendors. The same focus on security within your organisation should be visible in all of your vendors as well. It’s necessary to hold them to a high-security bar because (depending on the vendor) they may be handling your sensitive data or business-critical functionalities. Some questions to consider as you evaluate vendors:
- Are they following industry best practices?
- Are they investing heavily and frequently in security?
- Do they use third-party assessments including penetration tests and audits to protect the information in the cloud?
A smart grid cybersecurity strategy needs to be designed to manage the prevention, detection, response and recovery processes, and counter any existing and potential threats. The utilities sector, as a critical infrastructure, must be protected physically and virtually, with a convergence of solutions.
Graham Park, Software Engineer at Virtual Peaker
Worldwide, the value of the public cloud services market is estimated at almost $260 billion according to research firm Gartner, Inc. And it’s growing: With the onset of the COVID-19 pandemic, work habits—and work locations—have changed for many, heightening the already strong interest in robust security for cloud-based systems.
While many industries—finance, medicine, and more—already are firmly in the cloud, many utilities are still taking initial steps and looking for guidance. Misconfiguration – by a long shot—is the biggest danger for those using cloud-based platforms. Cloud providers offer a rich assortment of the latest security tools and best-practice protocols to lean on as users deploy and manage all sorts of utility applications. However, it’s critical for anyone migrating to or operating in the cloud to take the time needed to set up these systems correctly and securely.
There are far too many cautionary tales out there. In one case, sensitive medical records (lab test results, patient files) for 150,000 Americans had been stored on an unsecured cloud. In another case, back in 2017, personal information—about 1.1 terabytes worth—for almost 200 million registered US voters was accidentally exposed online for two days due to an improperly configured security setting. In both of these cases, fixing the configuration was fairly simple, but it just wasn’t done. So, to anyone considering moving to or operating in the cloud, make sure to keep up-to-date with security best practices and keep them in mind as you build your applications. When done correctly, operating within the cloud can remove or streamline a lot of the work required to deploy a secure application.
Hafid Elabdellaoui Chief Security Advisor, CSG ESA, Microsoft
Over the last fifteen years, attacks against critical infrastructure have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organisations are targeted by sophisticated, patient, and well-funded adversaries. Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.
Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernise our infrastructure, it’s critical that cybersecurity measures are prioritised.
If your organisation supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80% of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922