Tony Flick has worked for over eight years in the security industry and is currently a Principal with Tampa-based FYRM Associates. He has presented at Black Hat, DEF CON, ShmooCon and OWASP chapter meetings on Smart Grid and application security concepts. In this interview he discusses smart grid security and the related challenges as well as his book – Securing the Smart Grid.
Conspiracy theories and wild media assumptions aside, how vulnerable is the smart grid to cyber attack?
There will always be extremes on the risk spectrum: one side that is sure that smart grids will succumb to devastating cyber attacks (power plants exploding, power outages for months, etc.) and the other side that believes the risks are merely scare tactics. The security industry has once again been accused of using FUD (fear, uncertainty, and doubt) to push its products and services into the smart grid arena and the energy industry has been accused of not addressing security and privacy issues.
As usual though, it is somewhere in the middle of the spectrum. Governments, utility companies, and technology vendors are actively considering the security risks that are associated with a smart grid. However, researchers have already uncovered and presented vulnerabilities in smart grid technologies at security conferences and, if history has taught us anything, more vulnerabilities and attacks will almost certainly be identified in the future. The risk of smart grid cyber attacks will never be eliminated, but it can be properly managed.
As systems grow in size, complexity and importance, it’s natural for security risks to grow as well. Does an increasingly digital smart grid necessarily mean a less secure grid?
An increasingly digital electric grid increases the number of cyber attack vectors. In other words, there will be more ways to attack the electric grid through cyber attacks. Those who defend against cyber attacks are always at a disadvantage since they need to protect against every possible attack vector, as opposed to attackers that may only need to find one vulnerability. An effective security program could mitigate most of the risk associated with a digital electric grid. The real question is whether every utility company and technology vendor involved with a smart grid will allocate the necessary resources to implement an effective security program.
Based on your experience, what technologies should be used to mitigate the most dangerous risks while still enabling infrastructure upgrades?
Unfortunately, there is no silver bullet technology for securing a smart grid. There are hundreds of unique technologies in a smart grid, each with its own set of security issues, and the number will only continue to grow. Each component of the smart grid will pose its own risk and have its own set of security controls that will need to be implemented.
Fortunately, most existing security controls (authentication, authorization, encryption, etc.) can be utilized in smart grid technologies. Although, one of the current issues is implementing these security controls in smart grid devices that have limited resources. For example, encryption is computationally expensive and could cause problems for devices that were not built to handle it. Adding on security controls to a device that was designed to only execute its intended operational functionality will most likely cause performance issues, which is why it is imperative to design devices with security in mind and be able to update the device to protect against future threats.
What are the fundamental differences between securing the smart grid and securing any other complex digital system?
The smart grid features new and old technologies that people outside the industry may not be familiar with. As a security professional, if you decide to move into the energy industry, you will be faced with learning all the acronyms, terms, and names of the systems/devices that are commonplace in the energy industry. However, at the smart grid’s core are data networks, applications, systems, employees, and the users, which is similar to any other complex system.
How important is security awareness when it comes to those working in the grid? Are we moving towards a time when IT security training is not just an option anymore?
Security awareness is absolutely critical to securing the smart grid, as it is with any other security program regardless of industry. Additionally, regulations (NERC CIP 004) mandate an “appropriate” level of security awareness training for persons accessing critical cyber assets in the electric grid. While this is a good start, employees that operate and access non-critical assets can significantly affect the electric grid or its users and should receive security awareness training as well.
Consumers will play an even larger part in securing the electric grid. Smart meters will be placed in their homes and they will be using web and mobile applications to monitor and control energy usage, which are all potential targets for cyber attacks. Consumers may also not realize the privacy issues with real-time energy usage data. For example, at DEFCON this year, my co-author and I released a tool that downloads energy usage tweets and builds an energy profile of that person. The tool then determines when that person is home, at work, and sleeping to demonstrate that a burglar or stalker could use energy usage information in malicious ways. As such, utility companies and government agencies should implement security awareness campaigns to help out consumers.
Tell us about your book – Securing the Smart Grid. How long did the writing process take, any major difficulties?
Securing the Smart Grid takes a look at the current and future state of smart grid security and seeks to help professionals assess the technologies, risks, and threats in a smart grid. For those who work in the utility or smart grid technology industry, this book will provide guidance for setting up or improving the security program at their organization. For others, you will learn how to avoid becoming a victim when you become connected to a smart grid.
It took my co-author and I roughly eight months to write the book. Since both of us had demanding day-jobs, the real difficulty was in finding the time to dedicate to the book. Thankfully, Syngress and the tech editor were accommodating to our schedules and supportive throughout the writing process.
What are some of the most interesting details you learned during the creation of the book?
Several government initiatives were being developed as we were writing the book. In particular, the National Institute of Standards and Technology (NIST) was developing the Smart Grid Interoperability standards and, of course, the Guidelines for Smart Grid Cyber Security (NIST IR 7628). So, it was interesting to follow the development and see the official Federal Government recommendations for securing the smart grid.
Additionally, I was interested in the ways our judicial system may handle privacy issues in the smart grid. Currently, law enforcement can use energy usage data to help identify grow operations or other illegal behavior. In the case of People v. Dunkin, the Colorado Court of Appeals determined that a customer does not have a reasonable expectation of privacy in their energy consumption because it does not reveal discrete information about the customer. This ruling is of course based on the existing electric grid, since in a smart grid, energy usage can be monitored in real-time and can be analyzed to obtain very detailed information about the person. So, it should be interesting to see how the courts and law enforcement view this new level of detailed information.