The security of the UK’s energy grid was back under scrutiny in October 2010 as the government ranked cyber- attacks on national infrastructure as a ‘tier one’ threat in its new security strategy.
Shortly after the strategy was published, Sir Malcolm Rifkind, head of the UK’s Intelligence and Security Committee, described the theoretical possibility of such an attack during a radio interview: “What we’re talking about is terrorists being able to actually use cyber methods, for example, to interrupt the National Grid to prevent proper instructions going to power stations, which are under computer control.”
This renewed interest comes at a time when the information architecture that supports energy infrastructure is being reinvented. A group of technologies, combined under the umbrella term of Smart Grid, promises to give utility suppliers greater insight and control over their infrastructure, from generation through distribution to the point of consumption.
Long discussed in the industry, Smart Grid is now becoming a reality. A study published by Oracle Utilities in October showed that 18% of energy companies have already completed rolling out of Smart Grid technology, while 56% of those that have not plan to do so within the next five years.
What the adoption of Smart Grid means for the security of energy infrastructure is a question that divides opinion.
One view sees the technology as a way to protect infrastructure more effectively: electronic sensors around the grid provide real-time data on the status of infrastructure, meaning that problems can be identified quickly and power flows rerouted to compensate for any disrupted sites.
The opposing argument, however, is that the IT systems required for this intelligence add a soft underbelly that is vulnerable to electronic attacks.
And while Smart Grid adoption seems to be going ahead, there are indications that security complications may be making it harder than anticipated. For example, a report by the World Economic Forum published earlier this year identified security, alongside customer privacy, as one of the critical challenges that utility companies are wrestling with as they deploy Smart Grid pilot schemes. “Breaches of data security can have a catastrophic impact on pilots,” the report found.
Andy Bochman, editor of the Smart Grid Security Blog and energy security lead at IBM Rational, explains some of the security implications of the technology: “A lot of Smart Grid functionality depends on IT systems being connected to operational technology (OT) systems,” he says. “In security parlance, this greatly expands the attack surface.”
Bochman explains that hackers could penetrate an IT ‘soft spot’, such as a corporate network or web application, and from there move on to OT systems, which control grid hardware.
There are, says Bochman, three ‘classes’ of hacker that might target a Smart Grid. The first is a ‘kiddie scripter’, or curious individual who downloads Internet code and attempts to hack their Smart Meter, usually in an attempt to change their bill. “They’re not very dangerous threats, but on the other hand, they can certainly be a nuisance and cause trouble,” says Bochman.
Secondly, he identifies organised cyber gangs who want to disrupt the Smart Grid for commercial ends. He does not see too much scope for this at the moment. “They’re not really ideologically driven to attack the power sector more or less than any other sector. It all depends on where they think they can get the most money.”
More severe, Bochman says, is a scenario in which terrorist groups or national governments sponsor cyber attacks on critical infrastructure for political ends. This nightmarish scenario was brought into sharp relief in September 2010 when security experts posited the theory that Stuxnet, an unusually sophisticated worm that had spread through industrial control systems the world over, was in fact designed to attack one single target: an Iranian nuclear facility.
Stuxnet was a first of its kind. Its code did not attack IT systems themselves, but instead used them as a vehicle to sabotage industrial infrastructure.
The worm exploited several Windows vulnerabilities to move undetected through the facility’s IT network to its OT systems where, it is claimed, it could have caused serious damage to critical infrastructure had it not been detected.
Whoever programmed the virus probably had a deep knowledge of the industrial systems used at the plant, security experts say. Happily, while undeniably potent, Stuxnet’s competency appears limited to specialised processes used in Siemens engineering equipment.
Speculation that Stuxnet was a state-sponsored attack to disrupt progress of the Iranian government’s nuclear energy programme is rife, although it is based on merely circumstantial evidence.
Bochman believes that Stuxnet, or one of its variants, could feasibly be re-coded to target energy infrastructure using a similar methodology. “It’s a proof of concept that this type of thing is possible,” he explains. “But the payload of what it is trying to do at the end of the day could be much different.”
Earl Perkins, a utilities expert at industry analyst company Gartner, believes that Stuxnet will provide a “wake-up call” to those utility companies that have yet to get a hold on the security obligations of Smart Grid. “Most of the time, people in the [utilities] industry don’t pay attention until they have to react to something dramatic,” he says. “We only tend to take effective action when the prioritisation is done by a crisis.”
Perkins argues that the Stuxnet scare has uncovered organisational divisions at utility companies that undermine the security of their overall infrastructure. Engineers employed by energy companies have a strong knowledge of what is required to protect OT systems, he says, but their expertise will not normally extend to ensuring the same for IT.
“[The Smart Grid] has actually uncovered an endemic issue about how the OT side of utilities is structured to address security concerns,” Perkins argues. Presently, there is a lack of cohesion between IT and OT teams on how to shield Smart Grids from attack. “There aren’t a large number of utilities that have a structured organisation where top- down decisions related to Smart Grid security are taking place,” he laments.
Perkins says that utilities should realign their organisation to reflect newer security threats. A good starting point for many energy providers would be appointing a chief security officer to oversee a “matrix organisation” of security analysts and professionals from both IT and OT backgrounds. He does, however, note a “historical lack of cooperation” between these two groups.
He also believes that utilities must be more adventurous in their procurement of external suppliers if they are to fully engage the security issue. Perkins highlights a distrust of outsiders in the industry, which makes people reluctant to stray from a small pool of consultants and providers. “The culture of utilities is conservative. They are accustomed
to building their own communications networks because they don’t trust public networks,” he explains. “It’s a culture that prefers to create its own solution rather than seek a solution from outside, even if those solutions may be able to be installed faster or configured more quickly.”
They may be conservative, but there are signs that energy companies are prepared to take the emerging challenge of Smart Grid security seriously. A report published by clean technology analyst Pike Research in June 2010 predicted that $21 billion is to be spent globally by energy providers on Smart Grid security between now and 2015.
This represents approximately 15% of total Smart Grid spending during the period. But Gartner’s Perkins argues that the utility providers that successfully address the Smart Grid security question will not necessarily be the ones who throw the most money at it. “It doesn’t matter about their size or resources,” he asserts. “It’s about whoever in their organisation has an awareness of the seriousness of the issue and is determined to take action.”