High Voltage, High Security: How Electric Utilities Should Address the Internet of Things
Few industries have embraced the potential of the Internet of Things (IoT) more than the energy sector.
By Bindu Sundaresan
Few industries have embraced the potential of the Internet of Things (IoT) more than the energy sector. Ericsson estimates that there were already 485 million devices managed by utility companies in 2013, and that number could triple by 2020. Another study from IHS Technology forecasts that the market for smart grid sensors could grow by 1,000 percent between 2014 and 2021.
It is easy to see why. In this era of connected and intelligent devices, new technology provides levels of transparency, performance and control of power grids that were unheard of even a decade ago. IoT is making power delivery more efficient and dependable-all while maintaining legacy systems and infrastructure. That is why it is vital to have a comprehensive IoT security plan in place.
With every smart meter, energy box actuator and grid sensor added to the network, new attack vectors are introduced to the system. Think of it this way-each new device opens a door that requires closing.
Unfortunately, the findings from our second Cybersecurity Insights Report, “The CEO’s Guide to Securing the Internet of Things,” showed that organizations regularly deploy devices without the proper security measures. In addition, when connecting legacy equipment that was built without Internet connectivity in mind, security is especially challenging.
It is essential to keep security top of mind for utility providers because a breach can inflict huge costs and harm corporate reputations-and can also disrupt services necessary to the safety and wellbeing of consumers.
While there is no method for making an organization immune to attack, it is possible to set up an IoT defense for success. We recommend that all electricity providers ask themselves the following questions when assessing their IoT security plans.
1) Has the company done an all-inclusive risk assessment that considers the IoT as a part of its overall risk?
In our report, we found that just 14 percent of companies have a formal audit procedure in place to identify the devices connected to their network and if they have been secured. This is a serious issue. A network can’t be secured without awareness of all the existing security vectors.
As systems regularly integrate connected devices with legacy systems and equipment, this introduces new risks and possible threats. This makes it essential to bring these networks together with security as a top priority. It is rare that these networks have the fundamental network security controls that are now embedded in most devices built for connectivity.
Utilities must be careful to understand the vulnerabilities this combination of legacy and new systems might create.
The entire IoT ecosystem needs to be a focal point. Each partner, vendor and contractor adds new layers of risk, and organizations should collaborate to understand if IoT devices and operating system were embedded with adequate security protocols. Companies also must work to transfer information to or from the organization more securely.
2) Are company data and connected devices secure when deploying new IoT solutions?
I often talk about using a layered approach to help secure data and the device network. There are four key layers: the device layer, the connectivity layer, the data and application layer, and overarching threat analytics.
Existing security policies will need to be adapted to embrace these new security challenges for IoT. Helping to secure the devices means committing to implementing software such as advanced distribution management systems that allow electric utilities to manage and control each device operation.
Helping to secure network connectivity means establishing authentication controls throughout the ecosystem, monitoring who can access the system and how often they can access it, and encrypting data and information as it crosses the network. Companies can even take it one step further and partition the networks of major power delivery processes to help isolate and prevent a cyber-attack from spreading throughout the organization.
Each individual data set and application should have detective controls to help identify breaches as they occur. The sooner a company knows about a possible attack, the sooner it can execute its response plan.
Electric utility companies need to filter the data from each layer of a connection through a threat management system to help identify risk and accurately understand how secure their IoT devices are and address any possible vulnerabilities.
3) Is the company aligned, from leadership to the front line, on IoT security and strategy?
IoT security demands commitment from everyone in the organization. It needs to be a top-down effort that starts with the boardroom and filters to all front line employees. Every employee should understand what function the IoT devices have and the risk associated if those were compromised.
If leadership is involved in developing the IoT security strategy, it will be easier to make security the core of all business decisions related to IoT deployment. In addition, our research indicated that in businesses that actively involve their board members in IoT security, 70 percent of respondents are confident in overall IoT security plans.
4) Has the company defined legal and regulatory guidelines covering new IoT devices and deployments?
Electric power delivery is rife with regulatory limitations and demands, and data security is a significant piece of that puzzle. With legal and regulatory concerns, it is vital to engage legal counsel and experts to help navigate potential pitfalls. While compliance does not necessarily guarantee effective security, companies can help resolve regulatory accountability issues as they are putting their plans in place.
Asking these questions is the first step in determining if an organizations’ procedures and safeguards are ready for IoT. Effective planning will go a long way in helping avoid the reputational and financial damage of a cybersecurity breach. UP
About the author: Bindu Sundaresan, strategic security solutions lead at AT&T, describes her role as a security professional. Her job, as she puts it, is “to keep information safe.” She also cautions about a company’s security measures being solely technology-based. Sundaresan advises companies to treat their security efforts as a program, not a project. The issues on Sundaresan’s radar are security and mobility, security and cloud computing.