Smart Energy International spoke to experts from Thales and ESI Thought Lab to determine how extensive the cybersecurity threat is, whether smart meters are vulnerable and how to monitor legacy assets and existing networks.

Industry sectors including energy, finance, automotive, retail and telecom are expected to record an increase in cyberattacks due to growing geopolitical and social unrest. Great economic volatility is also going to contribute to this increase.

This article was originally published in Smart Energy International Issue 4-2020.
Read the full digimag or subscribe to receive a print copy.

Utilities of all sizes are in the unique position of understanding that they have significant exposure to cyber risk, but often it is the smaller of these that don’t have the resources to properly address it. Across the world, state and local governments have the difficult job of utilising limited resources to protect the availability and resilience of systems that not only serve the public, but also contain citizens’ personal data, making them juicy targets for identity thieves.

Utility, critical infrastructure, and logistics companies have an outsized impact on all of us, given that they keep the lights on and goods moving.

Defence against the dark arts

Globally, companies are increasingly assessing ever evolving cybersecurity risks and threats to their assets. They are taking steps to address these by investing resources in people, process and technology. Investment into areas as diverse as protecting the corporate environment, network, cloud, endpoint, infrastructure, application, systems and employee training are on the rise.

Companies are hiring and supporting the best talent their budget can afford, building consistency in operations through automation and well-vetted processes and measurements and finally, tracking threats and innovating technologies in response. The balance between the fundamentals of people, process and technology continue to be the hallmarks of highly successful and resilient cybersecurity programmes.

Multilayered, multipronged defence is essential. Relying on any single strategy, vendor, or technology is just too risky.

That’s one of the reasons that frameworks such as the NIST Identify, Protect, Detect, Respond and Recover strategy have proven to be valuable. They give organizations a way of wrapping their minds around the dimensions of the problem, breaking it up into smaller components, and then tackling each of them appropriately.

A global challenge

Consumers are getting increasingly worried about privacy and how their data is being sold and used. Governments are listening and that was one of the major reasons the European Union developed GDPR in 2018. Many US states are also listening and establishing more stringent privacy laws to protect their citizens’ data and privacy.

The rise of the smart meter

As the proliferation of smart meters across the world increases, concerns are arising that smart meters may not only provide a segue into a utility network but may also access and expose sensitive consumer information.

Francis D’Souza, vice president strategy and marketing – Analytics and IoT, Thales, shared some insights into the possibilities and how to mitigate the risk.

ONE OF THE MOST DEVELOPED BUSINESS MODELS ON THE DARK WEB IS SOMETHING CALLED MALWARE-AS-A-SERVICE. IN THIS CASE, THAT MALWARE IS TARGETED AT LONG LIFE DEVICES SUCH AS SMART METERS.

“For the energy transition to happen and to increase the use of renewable power, you need to have a clear grip on your demand and supply. It is only through making your grid smart that you have the ability to get that understanding. Digitalising the grid improves operational performance and resilience. A delay in digitalisation can have a negative impact on business operations. We’ve seen, for instance during the pandemic lockdown, that a lot of utilities which have not rolled out smart meters are having problems issuing bills. The result is they are having cashflow issues. From an operational perspective, it makes sense for everything to be getting more connected. But this comes with an increased security risk.”

D’Souza is, of course, speaking about the increase in private and state sponsored attacks on critical infrastructure around the world. In Australia, the prime minister, for instance, recently confirmed that mission critical infrastructure was being attacked by state actors. And the US recently announced that they would ban the use of components from some countries on their power grids.

“In addition, there have been a couple of other developments which should be making operators of critical infrastructure paranoid,” D’Souza continues. “One of the most developed business models on the Dark Web is something called malware-as-a-service. In this case, that malware is targeted at long life devices such as smart meters.”

The problem with this malware-as-a-service concept, is it doesn’t need to be in all meters for it to have an impact. A Princeton University simulation on what is called ‘mad IoT attacks’ – or manipulation of demand attacks – reveals that if a bad actor were to manipulate demand by even 1%, it could bring the entire grid down.

“When you put all of these together, utilities have no choice but to take cybersecurity seriously,” D’Souza cautions. “Security by Design is paramount when planning a system. And then, there are two fundamentals to plan for and implement: namely identity and key management, plus security analytics as an additional protection layer.

Image credit: 123rf

Key management

Key management refers to a system whereby each individual meter is given a unique identity. Each identity comes with a unique encryption key which needs to be confirmed and authenticated against an equally unique key on the utility side every time there is communication between the meter and the Head End System (HES). No mutual authentication – no communication.

However, if it’s as simple as using identity and key management, why is it that it is not being more widely utilised?

Often, this can be due to incorrect implementation of the key management. One of the main principles is that the keys need to be changed every three or four years. However, in the case of utility assets which are in the field for between 15 and 20 years, those keys need to be changed multiple times over the lifespan of the device. Traditionally, the concept of key management for utilities was considered too expensive to implement – especially across multiple millions of meters. But this is no longer the case, says D’Souza.

“Dedicated and purpose-built key management systems for smart metering exist. Utilities don’t have to worry about implementing it themselves, nor do they need to rely on their meter vendor to do so.”

In fact, having an independent system can have benefits, particularly as these tend to be Head End System and meter vendor agnostic and this prevents vendor tie-in to a proprietary system.

The key management system operates across a variety of smart grid infrastructure but is primarily aimed at smart meter deployments due to the hundreds of millions of meters in the field.

“At that scale, key management becomes very complex. However, if a utility has a key management system that can handle

THE BALANCE BETWEEN THE FUNDAMENTALS OF PEOPLE, PROCESS AND TECHNOLOGY CONTINUE TO BE THE HALLMARKS OF HIGHLY SUCCESSFUL AND RESILIENT CYBERSECURITY PROGRAMMES.

hundreds of millions of smart meters, it can also handle the other elements of the grid,” D’Souza confirms.

Key management can be undertaken by a utility across multiple devices and areas or can be controlled by government as a way of securing critical infrastructure. In one of the countries in North Africa the government is looking to implement a key management system that operates across all the utilities in the country. The utilities are still free to use whichever HES they want and utilise as many meter vendors as they need to.

“It does not matter. There could be multiple utilities in the region, but because the security is managed at a country level, every key that goes in every update to a meter is managed from the agency that’s running it at a country level,” explains D’Souza.

In the United Kingdom, the Smart DCC i has implemented a key management system at a country level. They manage the keys irrespective of the utility, HES or meters utilities choose to install.

Thales, which acquired security company Gemalto in 2019, manages mission critical infrastructure and data for multiple countries around the world. The company protects data such as passport details, financial transactions and healthcare records among others. In addition, Thales provides the communication and security technology that goes into millions of IoT devices used in mission critical use cases.

As a trusted, experienced partner, Thales specialises in secure identity management, both onsite at meter vendors and at the utility, ensuring the credentials are verified once the meter is manufactured and a new key is generated on installation. This is to avoid any tampering between manufacturer and utility. “You’re as strong as your weakest link,” explains D’Souza. “It’s not just about key management, but also about ensuring the security of your supply chain.”

“The generating, managing and injecting of billions of secure credentials for items such as payment cards or passports with chips is something Thales does on a daily basis. It is this best practice and expertise that we brought into the smart meter domain,” he says.

Monitoring legacy equipment

What about legacy equipment that is retrofitted with communication? As this is an add-on, what is the best way to ensure the ongoing security of these grid elements?

A cybersecurity operation centre or CyberSOC provides continuous monitoring of networks using analytics to identify and warn of potential intrusions or anomalies.

“By monitoring all the equipment, the algorithms are able to identify unusual behaviour on the network and highlight these for inspection. As the algorithm learns, it is able to classify anomalies into categories,” says D’Souza.

These include normal, unusual but not concerning and needing attention categorisations. Depending on the configuration, it could even warn of potential tampering of a piece of equipment for reasons such as theft.

CyberSOCs can operate on premise or via cloud infrastructure, depending on the need, although most utilities prefer to have these on premise due to the critical nature of their operations.

D’Souza says that in a Thales operated CyberSOC tons of data is received every day and is constantly being monitored by the machine learning-enabled software that analyses and detects potential threats. CyberSOCs are also an essential component to prepare for the unknown threats of tomorrow.

Evolving threat landscape

Ransomware is an increasing threat to the utility sector. Vitally, ransomware is no longer just about encrypting data; it is now also about stealing data and credentials, threatening a victim’s employees and customers, and hyping up negative publicity around the ransomware attack.

Organisations will continue to be challenged to ensure their data privacy policies align with the regulatory/legal demands such as those set under GDPR and the CCPA, while also meeting stakeholder expectations for clear and transparent communications. Going forward, it is possible that privacy will consume a much larger portion of security activities and budget according to ESI Thoughtlab, a research company which specialises on the impact of technology on companies.

There is increased ‘democratisation’ of cyberattacks with access to more advanced hacking tools for purchase on the open market. These tools now rival the capabilities of nation states which will make for much more hostile cyber threat ‘weather’ patterns. Along with this will be the counterpose of an explosive growth in the commercial cyber intelligence product industry. There will be further acceleration of outsourcing of security capabilities to software-as-a-service (SaaS) technical capabilities and managed security service providers (MSSPs). This is because of the tight cybersecurity talent market and the economies of scale of centralisation. It is here in particular that a CyberSOC is indispensable, as a way to not only protect infrastructure that cannot be upgraded, but to also protect against future unknown threats.

As a result of the ever-changing threat landscape, the cybersecurity industry is encouraging all security considerations to be considered holistically. This starts with cybersecurity assessments followed by prevention, detection and finally response systems.

Interesting cybersecurity statistics (ii)

  • Artificial intelligence (AI) technology has come of age in elevating cybersecurity. In 2018, global development of AI within the cybersecurity market reached $7.1 billion, and it’s projected to reach nearly $30.9 billion by 2025.
  • Companies still need to do more to combat rising threats. One in three attack attempts over the last year resulted in a successful breach.
  • The largest losses reported by companies are from malware (66%), phishing (60%) and password reuse (49%).
  • With digitisation expected to increase in the next two years, cyberattacks are also expected to increase through artificial intelligence (38%), denial of service (34%), and web applications (29%).

i https://www.smartdcc.co.uk/about/service-providers/
ii ESI Thought Lab