Dr. Klaus Kursawe is the Chief Scientist at the European Network of Cyber Security (ENCS), where he is leading the research and development activities for critical infrastructure security. In this interview he talks about the challenges related to smart grid security.
Do smart grid systems have enough security features? How can you reliably evaluate the security of such systems?
Security is not about features, it’s about overall good design. One general observation is that smart grid systems have a comparatively low security maturity, and that many approaches that work in the IT world cannot easily be translated for control systems. For example, while a normal PC almost continuously receives security patches, patching a safety-critical control system is a difficult undertaking.
For evaluation of the system (as well as securing it in the first place) there is no silver bullet, but a combination of recommended activities such as a proper risk assessment, good design practices (e.g. using state-of-the-art cryptography), compliance and penetration testing, and a review of the overall system architecture.
With the proliferation of the Internet of Things, the smart grid will involve to include a massive amount of interconnected devices. What can be done in order to further protect a customer’s privacy in case of a compromise?
Most of the smart grid will not touch the consumer domain in the first place – the primary contact points here are smart metering and intelligent charging of electronic vehicles. While smart meter privacy is an issue that currently does get attention, it is intended that the data flows from a smart home to the smart meter are one-way – my fridge may need to know the current energy price, but my smart meter has little interest in the content of my fridge.
In general, there should be a strong separation between a fast evolving, user centered consumer comfort technology (as most of the IoT is) and a critical infrastructure such as the smart grid.
Based on your experience, what are the most significant challenges when it comes to securing the smart grid? Do we need more policy?
Securing control systems such as those underlying the smart grid is a hard task, and there are many challenges to overcome. The geographical distribution, extreme longevity of devices, safety requirements, scale and potential consequences of an incident means that the setting of the smart grid is very different from normal IT systems. There is a steep learning curve required both for grid operators and for security professionals.
In the meantime, we see a rapid deployment of smart grid components, so there is little time for thorough development. In the short term, the most important challenge is to assure the basic security properties are correct and follow best practices, and ensuring that all parties involved in the process of implementing a system (vendors, users and integrators, etc.) are committed to playing their part in a secure system.