Smart Grid's Trojan Horse: Actions to Consider

By Doug Morrill, Associate Director, Navigant [NCI] And Matthew Blizard, Director Energy, Navigant [NCI]

Doug Morrill, Associate Director, Navigant [NCI]

It is troubling that recent Internet hacks that affected popular websites in the United States are being received with surprise. Similar events have been happening for years. The explosion of Internet of Things (IoT) devices complicates the country’s ability to defend its cyber-borders. Policymaking bodies cannot keep pace with technological developments and evolving cyber-attacks, leaving critical infrastructure exposed. Among the targets of cyber-attacks are the industrial control systems (ICSs) that operate the gas, chemical, and electrical grid as well as subways, trains, and more. Solutions require a new level of cooperation between industry, government, and the citizenry before a significant event occurs.

The IoT

The IoT promises to make everyday life more convenient through more efficient appliances. The market for IoT products and services is already large, with cumulative revenue expected to reach more than three-quarters of a trillion dollars through 2025, according to Navigant Research’s "IoT and the Future of Networked Energy" white paper. The IoT has the potential to become the connective tissue for the Energy Cloud that is arising from the transformation of the power sector. Nonetheless, industry experts have issued warnings regarding the lack of basic security in IoT devices. The FBI has also warned companies to take measures against attacks targeting these devices.

Congress has mandated the deployment of real-time demand response (DR) technology and the integration of smart appliances and consumer devices. Recent events demonstrate, however, that demand-side technology is not yet mature enough to risk integrating these devices with utility systems. Integrating such devices with transmission and distribution operations technology (OT) infrastructure is even more problematic.

Recent Events

At 7:00 a.m. EST on October 23, 2016, many popular Internet sites, including Amazon, Twitter, and Spotify, could no longer be reached. Around noon, more reported difficulties—in all, over 35 major websites were affected. All used Internet service company Dyn to deliver services to consumers. This company was the target of a cyber-attack by an individual who managed to hack and hijack tens of thousands of IoT devices.

Without your knowledge, your IoT appliances could have been flooding the Dyn website, causing one of the worst cyber-crimes in recent history. The hacker achieved his or her objectives and has since released the source code on a public forum, which almost anyone can use to launch variations of this attack. The Mirai application scours the web for IoT devices with weak security protections, such as factory-default usernames and passwords. The code then installs remote control software controlled by the hacker, who uses these devices to launch an attack to overcome target sites, shutting them down to legitimate users.

The Evolving Electric Device Vulnerability

The wide-scale availability of IoT devices connected to the Internet via TCP-IP is a recent trend. These devices have proliferated rapidly, with manufacturers rushing to establish their solutions in the marketplace. After these devices became available, the ability to hack into them was publicly demonstrated using tools anyone can download from the Internet; most continue to be sold with default passwords that users seldom change. Devices made by XiongMai Technologies, implicated in the Dyn attack, allowed remote access through a backdoor without any password. The attacker identified these devices, loaded malware, and turned them into slave devices. Once the command was given, the devices overwhelmed the Dyn website with bad information.

Matthew Blizard, Director Energy, Navigant [NCI]

Mapping the Electric Device Risk to Electric Critical Infrastructure

Security breaches cost billions to fix, incur lost sales, lessen customer confidence, and can result in injury or loss of life. Due to the increasing number of Internet-connected devices, the gap between the power grid and IoT equipment is narrowing. The utility industry needs to take action now to address these risks. Efforts such as Open Automated Demand Response (Open ADR) can secure communications and standardize IoT devices, but these standards have not been widely used by IoT manufacturers. Organizations like the Open Mobile Alliance (OMA) lack a cybersecurity focus—many OMA manufacturers sell products with default passwords that are not required to be changed. Further complicating the issue, low-power chipsets supported by OMA are not capable of strong encryption.

Smart Grid’s Potential Worst Case Scenario

The impact of a coordinated attack on the United States is hard to predict. The two biggest blackouts in history were the result of a lighting strike (1999 Southern Brazil blackout) and tree branches on a line (2003 Northeast Blackout). These incidents triggered a domino effect of failures that caused the fabric of the grid to shatter. Dependencies become harder to manage as the cyber-grid matures and the potential for control systems to take down large sections of the grid becomes more likely. The loss of OT systems could have profound long-term consequences.

Entity Security Actions to Consider

The future of the smart grid and its interconnections between IoT devices and legacy networks operating the grid depend on the ability to secure these devices from disruption. Just as endpoint security matters, so do DR management systems (DRMSs). Once enrolled, DRMSs enable load and curtailment forecasting, monitor resources, and generate financial settlement data. The blueprint for the Energy Cloud transforms vulnerable single-threaded generation, transmission, and distribution networks. The future Energy Cloud grid includes thousands of renewable energy sources, distributed storage points, and smart IoT devices that are less vulnerable to widespread cascading outages.

Current IoT devices are not secure enough to integrate with DRMS transmission and control systems, but opportunities exist to start integrating the next-generation smart grid with back-office systems. Cybersecurity planning for the build out and retrofit of existing infrastructure needs to be aligned with demands that will be made over the next 20 years. Advances are emerging in reliable and secure communications with IoT-enabled systems; the requirements to support them should be developed today.

An incentive needs to be implemented to prioritize emerging smart grid security solutions. Utilities need to acknowledge that Internet-based communications with IoT devices is a legislative and market-driven imperative. The two key factors in building out a secure Energy Cloud infrastructure to the home are speed and bandwidth. Existing advanced metering infrastructure (AMI) and RF mesh networks cannot support these requirements and secure consumer IoT devices. Current AMI technology typically depends on a limited number of device types. If one device is compromised, the potential impact is extensive. Many existing AMI solutions have remote switch capabilities that can shut off power to individual homes. If a cyber-attack was to open many remote switches at the same time, generators would likely go into over-speed and trip offline, creating a cascade resulting in widespread outages. Regardless of existing technologies, anything beyond the last device controlled by the utility must be assumed to be a potential security risk. While these are uncharted waters for many utility companies, pilot programs for residential and commercial IoT device testing should be considered now. Regional collaborative efforts that use a standards-based approach can greatly reduce cost and improve outcomes.

In order to build out next-generation smart grid, consumer technology manufacturers, Internet service providers, and IT engineers and professionals need to understand the challenges and risks of integrated OT systems. Utility service providers and engineers need to start planning and testing secure Internet-based systems that bridge the DRMS gap and interact with commercial applications in the home.

Energy Storage System Special