Before utilities can benefit from IIoT, it needs to be secure
By Duncan Greatwood
In recent years, industrial operations have become increasingly connected. Our utility systems are digitized from end to end, made up of interconnected substations and control centers with smart sensors, control systems, and meters interacting with one another. Interconnected smart devices increase efficiency and improve function by decreasing the risks of human error. However, due to inadequate security, many of today’s connected systems are either vulnerable to significant cyberattack, or are missing out on operational modernization, or both.
Distributed and transient assets,1 from voltage controllers in the electrical grid to laptops, smartphones, and USB drives used by field technicians, represent a major percentage of exposed industrial assets. Historically, when these distributed devices operated in isolation or as part of small local subsystems, the risk wasn’t as drastic. But today, distributed and transient devices are connected and working together across the field, generating new efficiencies but also creating new risks.
When an electrical grid is hacked, it can have devastating impact both on businesses and on the daily lives of citizens.
For the Industrial Internet of Things (IIoT), connectivity in and of itself is the first of many security obstacles. Insecure transient devices like laptops, smartphones, and tablets provide an easy route for attackers to gain access to the electrical grid, and a jumping-off point from which the entire grid can be attacked once an initial compromise has been effected. Joined together, the compromise of a single power-quality-monitor sensor in the electrical grid, or malware on a technician’s laptop, could readily spread from an initial location to hundreds of thousands, or even millions, of networked components.
Further, these devices often face inconsistent human behavior: high turnover rates for employees, lack of adequate security training, and weak password protection and credentials. One device lacking security means risking the security of all devices deployed; what was once a single point of entry now has the ability to bring down power not just in a single street or neighborhood but across an entire state.
New Measures to Mitigate New Vulnerabilities
Custom-crafted attacks on utilities systems are increasingly common — the Ukraine power grid hack is a perfect example. When an electrical grid is hacked, it can have devastating impact both on businesses and on the daily lives of citizens. Recently, remote access trojans (RATS) have been discovered in European electricity control centers and United States SCADA systems. We’ve seen the impacts of these security vulnerabilities repeatedly, from cyberattacks resulting in residential oil spills to nation-state sponsored attacks on nuclear plants and water treatment centers. If companies don’t start employing a more comprehensive, effective way to secure systems, attacks on industrial control systems will keep increasing in both number and scope.
Xage Security’s decentralized, blockchain-protected fabric is one example of a tamperproof solution that can ensure trust at scale for critical infrastructure.
The U.S. Federal Energy Regulatory Commission is taking note of the risks posed by these dangerous attacks. In April of this year, additional security standards were added to the Critical Infrastructure Protection (NERC-CIP) plan to combat dangerous breaches of distributed and transient devices within the utility industry. Essentially, security requirements that were once reserved for core assets, such as power stations, must now apply to the distributed assets, such as substations.2
Unfortunately, operators are not yet equipped to meet these regulations. Since the newly covered assets are so much more numerous and distributed than the previously regulated core assets, the protection must be delivered in a highly automated fashion to avoid both the huge expense and inevitable human error that would occur if utilities were to attempt to manually deliver compliance.
Because the systems that need to be secured are distributed, any-to-any, edge-heavy ecosystems, the best solution for security and compliance with emerging regulations is central establishment of security policies. This includes device password-rotation requirements and access-control rules — and automatic distribution and enforcement of those policies in the field where the distributed assets are deployed.
Distributed Utilities Networks
Need Distributed Security
To become compliant with these emerging cybersecurity regulations and ensure protection, utilities organizations must be able to replicate a security policy across an IIoT network. Utilizing distributed security like Xage Security’s decentralized, blockchain-protected fabric is one example of a tamperproof solution that can ensure trust at scale for critical infrastructure within the utilities sector. Policies such as automatic password updates, and transient and mobile device network access rules, are deployed to all systems within a network and, because of the nature of blockchain’s immutable, distributed ledger system, this solution is scalable. With approximately 30 billion IoT devices predicted to be deployed by the year 2020, it needs to be.
With increasing connectivity and process optimization, companies run the risk of harmful cyberattacks spreading across large networks. And until now, not enough has been done to protect these systems we rely on daily. The development of the NERC-CIP regulations for distributed and transient assets, and the new protection the regulations will help to drive, will be a major step forward for system-wide cyber protection in the electrical grid. If we want to continue embracing transformation, adopting and advancing technology, and reaping the benefits of improved efficiency, we need to first ensure that these smart, automated, connected utilities networks are protected — beyond a doubt. UP
The Author: Duncan Greatwood is Xage Security’s chief executive officer. He has held various positions in marketing, corporate development, sales, and engineering at a range of technology companies including Topsy Labs, PostPath, and Conexant. Most recently, he was an executive at Apple, helping to lead a number of Apple’s search-technology projects and products. Today, Greatwood brings a blend of sales, marketing, operations, technology and human experience to the task of driving growth at Xage. He holds a BA and MSc from Oxford University and an MBA from London Business School.
1. For the purposes of this discussion, "distributed assets" refers to devices that are physically distributed; it does not refer to electricity distribution.
2. Interested readers can refer to the relevant FERC rulings, for instance: Revised Critical Infrastructure Protection Reliability Standard CIP-003-7 – Cyber Security – Security Management Controls, which refers directly to "low impact BES Cyber Systems" and "transient electronic devices," to be found in various locations including substations.