No green grid without cybersecurity

0
views

The increasingly ‘distributed’ nature of the grid that is required to tackle climate change also increases the number of points of attack for hackers, writes Francis D’Souza.

Between the melting homeland of polar bears, the increasing ferocity of wildfires and the more frequent inundations around the world, the impact of climate change triggered by greenhouse gas emissions has never been more evident.
This is an issue for all industry sectors and while the electricity and heating industry has made a lot of progress since 2013 when it contributed 30%1 of the energy industry greenhouse emissions, it still has a substantial way to go and is working hard at it.

Digitalisation, the grid and climate change

Making the grid ‘smart’ and ‘connected’ is key to tackling climate change. The electricity industry has been working across the board to play its part. In what has commonly come to be known as the energy transition, fossil fuels are being replaced by wind and solar renewables in the energy mix, consumers are given more knowledge and empowerment to manage their energy consumption and the grid is becoming more decentralised and distributed.
All this can only be achieved by digitalising the grid and connecting all assets using IoT technologies, in order to have a real time view of demand and supply, improve consumer interaction and control grid components in real time.

Without this digitalisation and IoT connectivity, the greening of the grid is hard, if not impossible to achieve. Yet, connecting assets increases the attack surface and thus the risk of cyberattack from anyone with bad intentions against the energy sector. The electricity grid, being the primary artery underpinning our economies, is at the front-line of the battle against cyberterrorism for economic and strategic gain.

The increasingly ‘distributed’ nature of the grid that is necessary to tackle climate change as explained earlier, increases the points of attack of a hacker. The good news is that this is a risk well known by national authorities and the electricity grid is classified among the critical national infrastructure of countries, with standards and specifications in place to guard against cyber hack scenarios.

One of the examples of this is the NIS Directive in Europe that covers critical sectors such as energy. Others include the US Cybersecurity Improvement Act (2017), European Union Agency for Network Information Security, ENISA, publications and recommendations.

Have you read?
Utilities need to rev up their cybersecurity focus
Four key ways to limit cyberattacks on critical energy infrastructure
5G functionality can reduce grid cybersecurity risks, researchers show

Combatting cyber threat

The smart energy industry has put in place practices and technologies that combat this cyber threat.
In addition to implementing government regulations and mandates, the smart energy industry itself has implemented technologies and standards on cybersecurity that raise the bar for cyber hackers, keep the grid safe and ensure the privacy of consumer’s information and data. Implementing cybersecurity is about technology, but also best practice.

The underlying principles are simple:

  • Security-by-Design: undertake a formal risk assessment at design phase and put in place mitigation plans
  • Ensure separation of the ‘application’ software from the ‘security’ software
  • Ensure all data exchange is encrypted • Ensure only trusted parties can access and securely update assets remotely
  • Ensure security systems are regularly controlled and updated to the highest security standards
  • Have systems in place to do all of this in scale across millions of devices

Converting these principles into reality is the next step, which the industry has already put in place. Implementing the DLMS/COSEM application layer protocol with security Suite 0 and Suite 1 ensures that all data and messages exchanged between smart meters and the backend systems are encrypted and authenticated. As DLMS/COSEM Suite 1 employs digital signatures, it ensures that no unauthorised servers can communicate with and send malicious commands to smart meters remotely, turning them all off, for example.

In order to help with ‘security-by-design’, standardised approaches such as the ‘Protection Profile ’ released by ESMIG and approved as a basis for security certification within the European Union should be used for designs of smart meters.

While using proprietary algorithms and encryption may seem appealing, it gives a false sense of protection. If the proprietary algorithm is broken (and it will be eventually), there is nowhere to turn to. Using standards means that the industry has many thousands of laboratories, standards bodies and companies working to try and break algorithms themselves and to constantly share findings and new versions to the broader industry. Thus, always staying a step ahead of the hackers.

Isolating the application from the security layer and using specialist security companies for implementing the security part of the electricity grid is another very important piece. The same way as during daily life you would not want your train driver to pilot your aircraft – unless they have a pilot’s licence.

Top utilities follow these practices of using standards and specialist security suppliers.

Lastly, every industry should be humble and realise that security is always a moving target as hackers keep getting better. There will always be a need to update and patch systems. The ability to do so in a way that minimises the risk of malware being introduced during updates is mandatory – the smart energy industry implements standards that utilise mutual authentication and signed firmware updates to ensure this. Without these measures governing updates in place, the cure may be worse than the disease as updates might introduce further hacking possibilities into the smart grid. All of this is taken into account in ‘SecuritybyDesign’ practices, separation of ‘application’ from ‘security’, DLMS/COSEM standards and the ESMIG Protection Profile. As long a smart meter rollout follows these standards and principles, a great deal of protection against cyber hacks has already been built in.

When it’s done right, users have nothing to fear

Once all the principles and standards described above are implemented, and encryption of customer information
databases is put in place, consumers and their information are very safe. Even if hackers break into the system, they are unable to do anything as encrypted data is useless to anyone – as is sending commands to energy assets that will
not respond to commands originating from untrusted entities. A further layer of protection should also be built on consumer facing apps and websites, using multi-factor authentication to avoid hacks like password phishing, for example.

Complacency is our worst enemy, not the cyber hacker

Just as athletes keep getting better and sporting records keep tumbling, so do hackers and the systems they can break into. The key is being cognisant of this and maintaining cybersecurity systems, processes and technologies that are
constantly state-of-the art and evolving.

Here again, relying on standards, technologies and companies that are cybersecurity experts, helps smart energy players such as utilities, software, and device makers to focus on doing what they do best – making the grid smart and capable of combatting climate change – while constantly maintaining a shield of protection to ensure that this noble goal does not becomes an Achilles heel.

About the author

Francis D’Souza is Chair of the Data Communication & Processing Workgroup at ESMIG, the European Association for Smart Energy Solution Providers, and VP-Strategy & Marketing at Thales, focusing on IoT.

References

  1. C2ES.org report based on global emissions in 2013