The Utility industry is struggling with strategies to guard itself, its assets, and most importantly its customers from malicious cyber attacks. Grave and unparalleled cyber attacks are front page news more often than they should be and no Utility wants to damage its reputation or negatively impact its business nor that of its customers by suffering an unwanted interruption, thief, or spiteful assault.
Therefore, the industry as a whole is searching for answers and approaches to shield itself from unwanted and regrettable incursions. Of course, the regulator is taking this state of affairs seriously too and new enhancements to the NERC CIP regulations are aimed squarely at protecting critical infrastructure vital to the nations it serves. A serious attack could be devastating to the company, the country, and even impact gross domestic product results.
In USA Today, they state that the Utility industry is attacked, by cyber or physical means, at least once every four days.
In contrast, some of the approaches to next generation security being deployed or being considered are so restrictive that they make security obscenely expensive for the Utility to even afford and in some cases are counter-intuitive to other applicable regulations.
What is needed is balance. A balanced response that provides varying levels of protection in accordance to the threats being mitigated.
Security is not a one size fits all situation. Security needs to be applied in a manner that provides the right level of protection for the need. What we do for generation might be different than what we do for transmission and distribution.
In order to achieve the real-time aspect, we require a federated security solution that has a distributed profile and is no longer centralized like we have always done in the past. We need a new security architecture to map to the edge of the smart grid networks. It must use stream computing for deep packet inspection in just 1 to 4 microseconds. The time domain is essential in this new model so the intelligence needs to be out nearer the edge of the networks as we can no longer afford the time delay to flow to and from a centralized controller. The security needs to be autonomously enabled to act independently as necessary but also collaboratively when it is able to communicate situational awareness to the network operations center once the attack is remedied. So, both distributed and centralized aspects are needed in the new architecture. Defence is at the edge with coordination at the center.
Security is not static. It needs to be dynamic and vary its response to the threat and escalate as necessary to stay ahead of the threat. In this day of wonderfully automated analytic analysis that can instantly diagnose a threat and deploy real-time counter-measures designed for that specific level of threat, we as an industry should be able to benefit from a variable level of response that is balanced to the urgency and demands of the penetration.
NERC does a level-headed job of sizing and scaling the need for CIP regulations based upon the criticality of the assets and the functions that they provide. However, we have seen some Utilities apply a uniform level of security to all assets, even when it may not be directly applicable, warranted, or cost justifiable.
The thesis proposed here is to suggest that we can not blindly apply a single unified strategy. We need balance in our approach and the ability to provision a dynamic solution that operates in real-time with enhanced security that is necessary to effectively and efficiently fend off the threat. To be clear, cyber security is a moving target and is a journey that demands different responses at different times – so it is not a destination. The threats and risks are highly dynamic and not as static as some might think. Therefore, it demands an open mind and a level of agility that we have not experienced before. To make matters more interesting, we need a lean approach to security that is appropriate to the risk and considers the cost for the solution. Security can not be so expensive that it renders the networks unaffordable to deploy.
We need balance in our thinking!
Michael Martin has more than 35 years of experience in broadband networks, optical fibre, wireless and digital communications technologies. He is a Senior Executive Consultant with IBM’s Global Center of Excellence for Energy and Utilities. He was previously a founding partner and President of MICAN Communications and earlier was President of Comlink Systems Limited and Ensat Broadcast Services, Inc., both divisions of Cygnal Technologies Corporation. He holds three Masters level degrees, in business (MBA), communication (MA), and education (MEd). As well, he has diplomas and certifications in business, computer programming, internetworking, project management, media, photography, and communication technology.