Why are our castles now just romantic ruins?
Part of the answer is gunpowder and the eventual victory of the iron projectile over stone walls. But, a more fundamental reason is their static nature, their focus on layers of defensive perimeters and their inability to adapt to more agile and fluid forms of warfare.
In many respects, the battle against the cyber-attacker is similar, especially as it relates to the low-voltage smart grid.
Both vendors and utilities in the low-voltage smart grid industry have focused on multiple lines of defensive positions to secure their smart grid, using technology to create barriers. The underlying concept is that the more barriers you have, the better you can block an attack. If the attacking force was an ill-equipped and poorly educated rabble, led by a few unimaginative iron-clad knights, then that is probably enough.
However, the reality is that cyber-attackers may not be smarter than those we trust to protect us (CISOs, CTOs, CIOs, regulatory and certification bodies, governments), but they are typically far better motivated – either for financial gain, fame (or at least notoriety and personal kudos amongst peers), ideology (terrorism) or loyalty and national pride (fighting as a “soldier” for a nation-state).
They will undertake information-gathering missions to learn about defences, they will assess whether previous successful attacks will work on a new target, they will attack where they see a weakness, they will attack at multiple points in different ways simultaneously to confuse and overwhelm defences, and they will exploit the non-technological points in the defence; the humans, the process, the “old-stuff” and the “forgotten old-stuff”. They will get past the defences, given time and perseverance.
Thinking of the security of the smart grid in terms of multiple layers of slow-moving or static defensive measures is like applying a castle to modern war. Whilst protection is important, what is needed is a more agile approach incorporating the ideas of threat detection and response to initiate pre-planned reactions to protect key assets, identify the intruder, and limit the damage they can do. This is all based on the assumption that the protection will eventually be breached.
What changed to make us want to review our security strategy?
In short, complexity and sophistication in the low-voltage grid. The cyber-attacker exploits the fact that a complex system will likely have loop-holes to gain access. Once inside, they can exploit the sophistication of the system to spread the damage that they can do as far and wide as possible, should they be motivated to do so.
As little as a few decades ago, all the complexity and sophistication of the grid was near the centre in the high and medium voltage grid, and all the security was there too. A cyber-attacker could do little or no damage from the low-voltage grid. With the introduction of smart meters and increased “smarts” in the sub-station and other nodes in the low-voltage grid, the complexity and sophistication are now in the low-voltage grid as well, all the way to the consumer and the privacy of their homes.
The massive increase in the attack surface, together with the opportunity to do malicious damage, means that the threat and the risk substantially escalated with the introduction of the smart grid. Especially, as all the things energy companies expect the smart grid to provide, also offers the cyber-attacker the means to do damage.
We need to start looking more at the low-voltage grid
Of course, the focus on any defence is to protect the points where the most damage can be done if successfully attacked. The SCADA systems of the high and medium voltage grid have received the attention and budgets they deserve due to their asset value and centralised position in the supply of energy. The same focus needs to be applied to the low-voltage grids so that the latest ICT industry honed security practices are implemented in this domain because:
- Even if there are no records of attacks on the low-voltage grids that does not mean there are no attacks or intelligence gathering activities
- The cost of implementing traditional protection mechanisms or regulatory compliance-based security features in the low-voltage grid need not be a major blocker with the introduction of advanced threat detection solutions.
The result has been to develop a semi-static position, just like a castle, where the focus is on building protection mechanisms. Whilst not quite “set in stone” like in the castle, the cost and effort required to adapt existing defences to face new threats can be prohibitive.
The important point is to recognise a threat, a change in the level of threat, or whether an attack is taking place. Without evidence of threat or attack, the only option is to make assumptions: either there is no threat or attack (the optimistic view), or the information gathering attacks being mounted by cyber-attackers are completely successful, and the potential victims are unaware they are taking place.
Will protection mechanisms make me secure?
Of course, investing in protection mechanisms is entirely appropriate and necessary, and the more security-aware smart grid solutions employ multiple lines of defence that cover all anticipated mechanisms of attack. They make it as hard as is technologically possible for the cyber-attacker to get past them.
What is wrong is the suggestion that having built protection mechanisms, you are protected. Experience from the ICT industry has taught us that the cyber-attacker will find a way to exploit humans, processes, “old stuff” and “forgotten old stuff” to bypass or subvert more up-to-date defences. Building defences requires that you know the form of attack, and we should assume that the cyber-attacker will be more ingenious than the defenders and might develop an attack from unanticipated directions.
Will compliance to regulatory standards make me secure?
Several countries and international bodies are implementing stringent new security practices which the equipment vendor is responsible for complying with. Of course, these help as they establish a minimum set of defences and should be applied where possible even if not mandated.
However, certifications are public and help the cyber-attacker in two ways:
- They will know what to expect and may have attack methods from other industries that they know to have been successful against similar or identical forms of defence.
- They will know what to avoid, and so they do not waste time on the harder defences, and look instead for the gaps.
The cyber-attackers are agile and will quickly establish and then possibly publicise potential or actual weaknesses.
Reliance purely on certifications may also lead to other deficiencies:
- Certifications are “point in time”; whilst cyber-security should be a process of continuous assessment and improvement. Furthermore, there is a risk that cyber-security budgets are consumed on compliance, and so starve the on-going and continuous nature of cyber-security of funds
- Certifications provide for a generalised defence; whilst a defence against cyber-attackers should be tailored towards the specifics of the enterprise and an assessment of types of attack it will be subjected to.
Finally, these certifications still focus on the protection, and so do not address the inevitable outcome of a successful penetration and the resulting need for detection and response.
So, following the regulation, even where not mandatory, provides protection that might otherwise be missing. But, it does not replace the need for an active and evolving cyber-security strategy for the low-voltage grid, specific to the local threats.
How to improve the security of our castle
So, we have built a castle using all the perimeter defences that we can. We have used as much technology as is practical, limited by the cost, available time, infrastructure age and other limiting factors.
Let’s start by assuming that the perimeter is not perfect – the castle walls may have loop-holes that can’t be blocked or that we don’t even know about and the locks are too expensive to replace in this year’s budget. OK, so let’s start by putting cheap trip-wires outside the castle so that we know about information gathering and preparatory activity beyond our walls and can be prepared for an attack. That way, we know about the threat and can sensibly respond to a change in underlying threat level.
Let’s now develop ways that we can see the attackers in more detail from the trip-wires they hit, learn something of their intentions, assess the threat they pose and even identify who they are. This way, we know if this is an information-gathering expedition or a major attack and can then respond accordingly.
Let’s now assume that someone can get in and so there is a need to put trip-wires within the castle walls. Maybe, we put more where we think we are weak, but we also put some where we believe ourselves to be stronger just in case we are wrong.
Finally, let’s develop mechanisms to limit the damage that can be done; trap-doors that slam shut to limit the access the attacker has to more vulnerable parts. Sure, that might make life harder for the defenders in the short-term (as some of their flexibility may be limited), but it is far worse for the attacker, as their means of exploitation has been blocked.
How to improve the security of our smart grid
Let’s apply the castle situation to the smart grid and see where this takes us. The key is to know the threat level and identify preparations for attack, actual attacks and successful penetrations of the protection we have put in place.
In effect, the trip-wires are intelligent use of information to identify security-related events. Some of these features will be available in many smart meters, but the full set of trip-wires will only be available from those smart meters that have focused on security and have credentials to prove it. In fact, many of the trip-wires are available from the investments made in protection mechanisms, so we are really leveraging that investment, but in a more organised way.
Once the trip-wires are working, there needs to be a conceptual shift from identifying and tracking individual security events to gaining an evolving appreciation of security incidents. By looking at a security incident, over a time-line, we have developed a method that makes it is possible to identify the level of threat, changes in that threat, the nature of the attack, and put in place defence mechanisms to limit the damage that can be caused.
The industry perspective
A short survey illustrates the growing importance of detection strategies for the low-voltage grid:
A practical solution – Protect, Detect and Respond
NES Grid Watch provides advanced analytics and threat detection that have been developed for specific low-voltage smart grid security threats and attacks. This identifies specific types of security incidents, which may indicate cyber-attacker information gathering, preparations for attacks, actual attacks, and successful penetrations. These capabilities are deployed out-of-the-box and immediately available – there is no need to enter a major development programme to create these analytics capabilities.
Through Grid Watch, you obtain visibility of the activities of cyber-attackers, for multiple attack scenarios including:
- Denial of service, power outages
- The derailment of operational and business algorithms, billing, operations
- Ransom, of customer information, of corporate information, of assets and of service.
NES Grid Watch sits “on-top” of your smart grid infrastructure, monitoring incidents from the information you are probably already receiving from the smart grid and providing you with a far more refined and focused assessment of your current threat level and changes in that threat level. By integrating this information with your SIEM, you can embed an appreciation of the low-voltage smart grid threat level into the wider context to protect yourself from multi-vector attacks.
With Grid Watch, you have added threat detection and response to complement your protection mechanisms, and you can now start looking at how to respond to the inevitable successful attack on your defences.
Protect. Detect. Respond!