In an earlier white-paper, we questioned how to feed information into the ever-hungry maws of the big data and AI platforms, especially focusing on the information coming from the low-voltage grid.
The Question, Re-phased and Summarised
As the Smart Energy Transition picks up pace, the role of the smart grid is coming more into focus. A major driver are the initiatives of Electric Vehicle introduction, distributed and green energy production and storage, and energy community projects and micro-grid. These will have profound effects on the low-voltage grid, as this is where many of these initiatives are being delivered.
Historically, it has been a major challenge to provide cost effective monitoring, management and control into the low-voltage grid. The result we have now, is a low-voltage grid which is essentially passive in nature with manageability limited to the “edges” of a black box and limited means to see and then control what happens within that black-box.
The earlier White-paper described a series of “false dawns” where individual technology solutions presented possible solutions; big data and AI itself, IoT to gather information and connect devices, and then the smart meter. These solutions do not work in isolation, and it is only by integrating them into wider systems that it becomes possible to shine a spot-light on the low-voltage grid, and now it supports the Smart Energy Transition. In summary, the need is to have the measurement points in the low-voltage grid, enrich the information close to the source, connect multiple communications
paths to the devices so that the strengths of multiple technologies can be combined and apply robust security to protect privileged information at source and in transit.
This then starts to drive the decision around investment in the low-voltage grid, especially in smart meters. The question for the procurement strategy for utilities is essentially: “With the major investments in big data and AI solutions, does it not make sense to focus investments on the sources of the information and the means of getting it? Isn’t the alternative simply wasting the opportunity to leverage the investment in the big data and AI platforms, and so have them become starved of information they need to justify their position?”.
The results of a short survey conducted by NES, in conjunction with Smart Energy International, goes a long way to confirming some of these positions, and indicates where the utilities industry sits on this important issue. This survey was conducted in the course of a webinar addressing these specific issues which was attended by a blend of utilities, consultants, regulators and technology providers.
Around 75% of the respondents have investments either on-going or planned for big data and analytics for the low-voltage grid. This confirms the overall investment profile and the perception that it is important to gain more insight into this important part of the network.
An interesting dip in the next 12 months is an indicator of projects in wait status, possibly for external drives, such as regulation and technology capabilities, to establish themselves more clearly over late 2019 and 2020.
What is interesting here is the perception that the information is fundamentally not readily availability. This is clearly a reflection that unless supported by deployments of sophisticated smart meters and using these as sensors in the low-voltage grid, there is little available information. It also indicates that visibility within the black-box of the low-voltage grid is lacking. It may be possible to put some levels of manageability around the edges, but what happens inside is still unknown.
The second outcome was the reliability of getting to the information. This has been a major problem historically – whilst communications infrastructure exists, it is often not tuned to the specific demands of a smart meter deployment, and so reachability can be a challenge. This leads to the need for improved tooling for managing the communications outcomes – not communications network management but tooling to monitor SLAs on the business transactions of gathering information, and then using these to drive improvement plans. Related to this is the overall deployment of O&M tooling to keep the smart devices in the grid functioning properly.
Once availability and reliability improve, it is probable that the next bottle-neck will become throughout. The information will be there, and the challenge becomes how to get to it.
This next question focused more on the balance between procurement policies aiming to maximise margin by reducing cost and the need to invest in infrastructure. In the case of this survey, the underlying point is does the investment in the big data and AI solutions balance the investment in the equally important sensors and communications infrastructure in the low-voltage grid.
Currently, there seems to be a balance between future-looking functional requirements and the need to control costs. Interestingly, there is a very slight bias towards the future-looking functional requirements, which may indicate that procurement departments are starting to become aware of the need to invest in the low-voltage grid in order to leverage the investment in the big data and AI platforms.
The focus of this question was not just IT security generally, but specifically related to the increased deployment of advanced devices in the field, which, themselves, open up the opportunities for cyber-attack, directly as a result of their sophistication.
Unsurprisingly, people are generally very concerned. As more information is gathered from the low-voltage grid to feed big data and AI, there is more opportunity to capture that information, falsify it or simply block the flow. Whilst this is deemed to be simply operational data, the scope of impacts are limited to the utilities operational efficiency, but as more information comes from the smart meters, there is more of a perception that this is personal information. This brings GDPR (and similar legislation beyond Europe) into the equation.
What is interesting is that there are people who are only Moderately or Slightly Concerned; possibly driven by (1) the lack of publicised attacks, (2) the hope that it will happen to someone else and (3) technology will provide an answer in time.
NES Perspective on the Survey
NES provide smart grid devices and complementary operations, analytics and security software solutions.
Consequently, such results relate strongly to NES capabilities:
NES provides high-quality smart grid devices for the low-voltage grid which provide sensors, multiple communications options and protection of the valuable information. Investment in high-quality smart meters is the cornerstone of gathering information from the low-voltage grid.
All NES devices are built to these underpinning principles.
NES provides enrichment of the sensor information by discovering the topology of the low-voltage grid, and then assessing phase balancing and energy flows within this grid. As well as providing for operational improvements and outage impact detection, this provides more of the information required to perform capacity and loading analysis in readiness for EVs, distributed generation, fraud/theft and community energy. This is the information required from the low-voltage grid to drive the Smart Energy Transition forwards. NES Grid Navigator and Grid Flow provide these functions.
Operations and Communications Monitoring Software
Operational efficiency and monitoring communications SLAs are a key aspect of maximising the information which can be gathered from the low-voltage grid by identifying areas of poor performance, and then using this to assess root-causes and resolve them. As well as the assuring the communications, robust O&M activities, supporting by tooling, ensure that the availability of the devices is maximised together with the communications. Finally, reception of events and alarms can also indicate problems in the low-voltage grid – the meter sees the symptoms of wider problems.
NES Grid Operations solutions implement both these key functions.
The smart grid industry has focused on maintaining an IT security perimeter. Most ICT strategies now recognise that the perimeter will be breached, and protection in depth is required. This is achieved through intrusion detection and response systems.
NES Grid Watch provides intrusion detection and response solutions specifically for the devices now being deployed into the low-voltage Smart Grid.
A very interesting survey and thanks to all the contributed.
Overall, the results indicate that there is a significant on-going investment in big data and AI, specifically as it relates to the low-voltage grid. There is at least a balance between procurement policies of back-end analytics and sensors in the low-voltage grid compared to cost control, meaning that utilities recognise the dependency between the two areas of investment. Using the meters as a sensor is clearly a major opportunity, but more can be done to expose what is actually happening in the low-voltage grid black-box. Finally, getting all this information and keeping it secure is a major concern.
NES Smart Grid solutions are well placed to assist utilities as they move through the Smart Energy Transition and use Big Data and AI as a means to drive their business and technology decisions.
This has happened before
Other industries have gone through a similar transition.
Only 30 years ago, the telecoms network looked just like the traditional pre-smart-grid with technology in the centre and passive “dumb” equipment in the field and the consumer premise.
All that changed with the introduction of Digital Subscriber Line (DSL) and then (a few years later) with the smart-phone – suddenly, the sophistication of equipment in the field and the consumer’s premise (and the consumer’s hand) increased dramatically and started to look more like IT resources than telecoms equipment.
Today, a typical telecoms service provides a DSL (or cable or satellite) modem, a router, a smart phone, often together with broadcast and on-demand TV, in-built value-added services delivered to these end-points, connections to highly sophisticated equipment in the exchange/head-end/base-station, and a number of back-end services hosted by IT infrastructure either at the exchange/head-end/base-station or potentially anywhere, including the cloud. Communications are bi-directional and services can be provided by IT close to what was traditionally the edge of the network. Whilst dedicated telecommunications equipment remains, it is largely software enabled, and most of the high-value services are provided by software solutions.
Processes for the operational management of this technology needed to change to support these new types of resource and service delivery supply-chains. The result, being implemented today, is a set of standards derived from a convergence of TMF eTOM (processes dedicated to the management of telecoms infrastructures) and ITIL (the IT Information Library) which is a process set for the operations of IT infrastructure. It is this practical blending of telecommunications requirements with IT requirements which has let to this successful outcome.
OT and IT Convergence
This change in the telecoms industry is not isolated.
There is a wider trend of convergence amongst Operational Technology (the tools and systems which execute an organisations operations) and Information Technology. The drivers are very similar – initially, operational assets were not very intelligent or “open” in terms of their manageability, and so proprietary tooling was required to manage them, often labelled SCADA. As infrastructure embeds more IT-like characteristics and starts to follow more “open” management, communications and security protocols, there is a natural convergence.
Consider a fleet of trucks as an operational asset of a haulier. A decade ago, these were counted in and out at the depot with a mileage and tachometer check at the end of each day. Now, the truck has GPS, real-time telemetry, and all sorts of driver aids; all driven by software, configuration, reference data (e.g. digital maps and traffic information) which is automatically updated. And the materials in the truck all have RFID so they can be logged into an asset management system via scanning.
And that is just trucks and haulage – imagine the convergence possibilities for a technology area which is actively trying to be smarter.
Applying IT management concepts to the Smart Grid
ITIL can benefit the Smart Grid, when used in conjunction with specific Smart Grid aligned operational processes.
It is grouped into five main process areas – Strategy, Design, Transition, Operation and Continual Improvement. Although developed for the IT industry, it is easy to see how these can become relevant to the Smart Grid as it evolves to contain more and more IT resources.
Not all elements of ITIL are directly or immediately relevant to a DSO’s Smart Grid operations, and all should be blended with those operational processes which are specific to the Smart Grid.
But, that is OK. ITIL is designed so that it can be applied gradually to an organisation, with a focus on those specific outcomes the organisation wishes to achieve. For a DSO operations team, the focus would be on Design, Transition and Operation, with Strategy and Continual Improvement being part of the surrounding organisational context for the DSO operations team.
So, as the focus on business and regulatory KPIs for the ops team increases and more IT is deployed towards the edge and towards the consumer, the following ITIL elements will become important, blended into the Smart Grid operational processes and driven by distinct business outcomes.
Keeping the Smart Grid specifics; recognising the differences
Keeping those operational processes which are specific to the Smart Grid is important. In telecoms, the outcome was a blend of two standards eTOM, from the TMF, and ITIL. So should the same approach be provided for Smart Grids.
This is particularly important in security; the Smart Grid has specific threats, vulnerabilities and temptations to the cyber-criminal which are unique to it. Whilst IT security practices can form a template, they do not provide directly applicable solutions. This is one area where the Smart Grid operations teams need to consider carefully – who will attack me, what is their motivation, what parts of the infrastructure will they attack, how will I identify the threat, how will I recognise an attack, how will I know it is successful, how will I respond to it. Answers to these questions can’t be lifted from an IT manual and applied to Smart Grid operations – they are unique to Smart Grid.
Making practical use of this
Right now, Smart Grids are being deployed, and the focus is on rollout and business case realisation. But, soon, the operational efficiency will become more significant, as it becomes more widely recognised that this is an influencer on many of the business and regulatory KPIs upon which the business case is based – specifically, customer experience, reputation, op-ex, cap-ex, revenue leakage reduction and security. The increasingly dynamic nature of the smart grid will need to be managed to meet the demands of the smart energy transition.
Like in the telecoms example, the operational requirements associated directly with a Smart Grid will be combined with a more general appreciation of operating an IT infrastructure, especially in the area of security. At this stage, a new class of operational tools will be required which implement ITIL aligned processes in conjunction with the specific process and technology requirements of the Smart Grid.
Such tools are in development today, in readiness for the point when the IT in the Smart Grid dominates over the physical infrastructure.
A real solution
Networked Energy Services (NES) is a leading developer of smart grid technology. It is investing in a new suite of solutions which are already blending key ITIL concepts with Smart Grid operations to ensure that the Smart Grid can be efficiently operated as the increased embedded IT makes it Smarter. Furthermore, its suite includes new security solutions which are targeted at the specific challenges which are inherent in securing a Smart Grid environment. Currently, NES has deployed its operational management solutions for over 1M meters in Americas, Europe and Middle-east. Its largest deployments are managing many 100K meters.
….For matured markets
The days of using data-centric solutions to meet operational needs, through expensive and bespoke customisation are drawing to a close. As agility and operational process specialisation becomes more important, tools which can be quickly deployed and provide in-built best-practice for operating IT-aligned grid infrastructure will become relevant. Increased focus on the security of the Smart Grid will drive the importance of dedicated security operations tools with in-built knowledge of how cyber-criminals will try to exploit the Smart Grid.
….For emerging markets
Although the focus is often on a rollout and achievement of the first generation of business benefits, the need to maintain the infrastructure in a mode that enables high-performance is increasingly in focus. This is driven the need for operational tools which guide the DSO through the extension of operational processes. From a security perspective, emerging markets often represent an “easy target” – although financial drivers for attack may not be present, the incentive to disrupt social energy schemes and government and NGO sponsored initiatives is very tempting.
….Proven consolidation through standards compliance
NES solution is designed to support any OSGP Smart Grid deployment. In fact, in one deployment, of over 400K meters, NES solutions are managing 3 OSGP vendors, with initiatives to introduce more OSGP vendors into that same network over the next few years.
A critical step utilities should be taking is to install monitoring and alarm systems to detect potential attacks.
Utilities should prepare to defend themselves against hackers attempting to access the grid via the new fleet of smart meters, says Emil Gurevitch, Senior Security Architect at Networked Energy Services (NES).
The industry is in a dilemma when it comes to cyber security, as while there is a need to share information, utilities do not want to talk openly for fear of exposing themselves to more threats or attracting negative press.
NES supplies smart meters to many countries in Europe, Middle East, Asia, Africa and Americas. In Europe, this includes Sweden, Finland, Denmark, Poland, Romania, France, Switzerland, Austria, Italy and Germany. Although many of these countries are less worried about the kind of national adversary threat that heightens tensions between the Ukraine, Russia, the US and China bring, there is a growing concern about criminal hackers looking to make financial gains or just disrupt the smart energy transition to make a name for themselves.
Wide attack surface
Not a lot of attention has been paid to smart meters, which is a relatively newer technology than SCADA systems for substation control and management of other parts of the smart grid, Gurevitch says. But clearly smart meter systems will become increasingly interesting for hackers as they create a wide attack surface with a varying range of security. There are easy ways to figure out what technology is out there, Gurevitch says. Public records of utility tenders and standards are all out in the open. A smart meter is very accessible – every home and office has one, normally in a private, out of the way place. Once the serial number is found, that can lead to an accurate account of what the technology is, and it can then be tested against known weaknesses.
The wave of smart meters being rolled out across Europe represents a huge investment, and utilities need to see a return on that expenditure – a single cyber-attack can wreck the business case a smart meter rollout. The life cycle of a smart meter is around 10-15 years, but that is a very long time in cyber security and a long time to be exposed to attack, Gurevitch says. Some utility executives understand the issue and are reviewing and improving their security posture, and some are in standby mode waiting for something to happen before taking action.
A storm brewing
“Utilities have a chance to be proactive and anticipate attack rather than wait for something bad to happen. There’s a storm brewing and we have an opportunity to prepare for it,” he says.
Utilities should focus on monitoring, as at the moment many do not know what is happening at the grid edge Gurevitch says. “Some utilities are completely oblivious to the threat of attack, as if blindfolded.” Once monitoring systems are put in place and a threat is detected, the next stage is implementing the response. NES is developing such monitoring solutions in close collaboration with their utility customers and local partners.
Soon such security measures are likely be mandatory. There is a big push from the US regulator the Federal Energy Regulatory Commission, and Europe has several certifications and other initiatives underway.
Europe has made a lot of progress and new smart meters have embedded security, while Asia and the Middle East are moving a little slower and are still in the development and deployment stage, says Nicolas Viot, head of the penetration testing team at Sogeti, part of the Capgemini group. He agrees with Gurevitch that one of the biggest challenges facing utilities is the length of time the smart meters will be in place. “In IT we are not used to supporting systems for such a long time,” he says. Future challenges include protection for end-user connectivity, as more consumers monitor consumption on mobile phones, smart homes and buildings solutions, smart cars, and digital rights management for example renting movies via smart TVs. “You have to look at new threats that will emerge,” he says. A future trend will be incorporating small producers of renewable energy into the grid, which will create a new cyber security challenge.
While it can be costly, it does not have to be, and cyber security spending will ultimately be worth it just like insurance, Gurevitch says. “Those investments will repay through reduced energy disruption, reduced loss of customer information and improved PR when these systems are subject to attacks by criminals.”
Smart grids are a critical national resource, and like any other, are subject to cyber attack. To date, smart grid cybersecurity strategies have focused on the perimeter. What happens when an attack is successful, and a cybercriminal gets past the perimeter? This is when defence in depth is needed.
A tempting target
A smart grid is a DSO’s (Distribution System Operator) largest investment and a national asset upon which mission critical and life-saving services rely. Government, business and residents rely on the service it provides every second of the day. It provides the energy supplier with their revenue, and through it, the DSO has access to highly privileged and sensitive customer information.
To achieve the social and economic benefits of a smart grid, sophisticated equipment has been deployed further into the less regulated and secured low-voltage grid. Whilst this meets the objectives for smart grid, it creates more points of entry that a cyber-criminal can exploit.
High profile and prestige smart city initiatives depend on smart grid for efficiency and optimisation – a successful attack could bring a smart city to its knees. So, these targets are attractive for extortion or high profile disruption – both motivators for financial and hostile government sponsored attackers.
These are not the only attractive targets – terrorism motivated attacks focus on many targets across the globe. Potentially all smart grids are a target to attacks focused on political or sectarian drivers.
Is protecting the perimeter enough?
The Information and Communications Technology (ICT) industry has found, to its cost, that relying on perimeter defence against cybercriminals is insuﬃcient. A perimeter is a combination of ICT, processes and people. Even where the ICT piece achieves high theoretical protection, it is the process and the people that can create “loop-holes”, which the cyber-criminals are highly skilled at exploiting.
This is equivalent to relying solely on the strength of your locks to your home and hoping that no one else has a key or can pick the lock!
Modern cybersecurity solutions are a combination of defence in depth with the assumption that, eventually, protection will be breached. This means that only when detection and response are coupled with protection, is it possible oﬀer a comprehensive defence.
If the smart grid was your home, you would be subscribing to a local community watch project (to monitor general threat), installing video cameras in front of your door (to monitor specific threat) and installing a burglar alarm within your home (to monitor for successful intrusion).
How strong can the perimeter be?
The smart grid is increasingly complex. Upgrading the perimeter to the latest standards may simply be too disruptive and time-consuming to do quickly and in response to new attack mechanisms. The reality is that the attacker always has the initiative and technology will lag – both in creating the solution and deploying it across national infrastructures.
The perimeter will always be porous.
If the smart grid was your home, you would be changing the locks every week!
Is visibility of security events enough?
Even if a DSO is aware of security events, they can be missing important indicators of attack, simply because they are lost in the background of low-level threat indicators and false positives. Common responses are to log everything or log nothing. In either case, some DSOs may be unable to spot the key indicators which would allow them to adopt a modiﬁed security posture in response to a threat or to react to block an attack or limit a penetration.
Making sense of all the information
A key concept implemented in many SIEM (Security Information and Event Management) systems is correlation of large volumes of isolated and (potentially) false positive events against a wide set of contextual information. Such context may include scheduled events, topological or geographical information, known threat information, historic information, known and anticipated methods of attack and actual attack elsewhere.
The challenge is that ICT SIEMS are focused on ICT infrastructure and do not have built-in “understanding” of smart grids to make sense of the specific information or context.
What is required in a SIEM is the ability to:
- Monitor the smart grid without interrupting or disrupting the key service it offers
- Interpret events from the smart grid
- Have the right context by which to assess these events
- Identify and be familiar with the types of attacks, which are specific to a smart grid,
- Have awareness of attacks across a community.
With this new generation of SIEM, it is possible to build a defence in depth for the smart grid.
Outcomes of defence in depth
With such a SIEM in place, the DSO can defend itself in depth, and not rely on solely on the perimeter.
This is a little like being in the community crime watch, having a security camera outside your house and a burglar alarm inside. To continue the analogy, a home owner may even accept older locks if they have the deterrent and defence in depth.
Defence in depth provides for:
- Evaluation of the current threat-level and changes over short, medium and long-term
- Detection of a specific threat and initiation of responses to harden the smart grid in readiness for attack
- Detection of attack and initiation of responses to protect the infrastructure within the perimeter
- Detection of a successful intrusion and initiation of responses to limit damage
- Shared information across a community concerning threat level and actual attacks
- Localisation of the threat with the opportunity to go on the offensive against the cyber-criminal!
The business outcome
DSOs with such an SIEM will be less vulnerable to denial of service attack or ransom, theft of corporate or customer information, theft of smart grid infrastructure, and may also enjoy lower corporate insurance premiums.
The social outcome
Consumers will be less vulnerable to disruption of supply and publication of personal information.
About NES and Grid Watch
Networked Energy Services (NES) provides Smart Metering and Smart Grid products and services including industry leading security solutions. NES Grid Watch provides additional defence in depth beyond the Smart Meter perimeter.
As Smart Grids evolve, they start to look more and more like distributed IT and telecommunications networks.
Gone are the days where the Electricity Meter was simply a device to communicate consumption to generate bills – the latest generation of the Smart Meters are mini-computers, with IO and peripherals allowing them to connect to home devices, and on-board compute resource allowing monitoring, automation, control and analytics.
And the communications infrastructure is getting smarter with the latest generation of data concentrators providing very capable ruggedized compute platforms far into the field, with the ability to automate local energy brokering services.
This means that, suddenly, the functions and capabilities of the “nodes” in the Smart Grid are no longer static and defined by physical build. They are defined by configuration of software and firmware. There is a massive opportunity to innovate and create a Smart Grid; enabled by this flexibility, the function and performance of smart meters can be monitored and controlled remotely, and new services and capabilities introduced without needing to visit the customer. This is essential if the changes in the way we generate and use energy are to be enhanced by the Smart Grid.
This modernization brings its own challenges as well. As the equipment in the field becomes more sophisticated, how will monitoring, management and securing of these assets need to change?
The question is partially answered already – just look at the telecoms industry. 30 years ago, there was a phone, a copper cable connected to an exchange and some switching equipment, much of which was physical – you needed ear protectors to visit a telecoms exchange in the 1970s.
And then transformation! The switch becomes a DSL Access Module, the cable is often now coax or fibre, or sometimes replaced by radio, and the phone is replaced by a DSL Modem, and suddenly, the laptop, smart-phone and smart-home become the end-point that the consumer interacts with.
Utilities and the Smart Grid are perhaps 10 years into this same type of transformation, and so the industry should be asking…..
How did the telecommunications industry respond to this massive change?
The answer is that they implemented sophisticated, highly integrated network monitoring and management systems; addressing fault/performance management, inventory configuration management, service activation and engineering. Integration is facilitated through alignment to an overarching telecoms process model called eTOM, developed by the TMF, the Telecommunications Management Forum, and the associated information model (SID) and application framework (TAM). This means that the IT teams building these complex systems have a common language, and vendors can align their solutions to allow interoperability.
This was great for the new generation of equipment (no longer requiring headphones to visit), but then, just like with the Smart Grid, software started to dominate. At that point, the ITIL (Information Technology Infrastructure Library) family of processes, became essential. These apply problem and issue management, release management, configuration management, security and SLA management processes, which are essential in maintaining an IT network where software and IT platforms work together. (Does this sound like the Smart Grid that we are starting to see emerge?)
The TMF, recognising this transition, moved to embrace ITIL collaboratively, resulting in a set of standards which provide a framework for managing, monitoring and securing a sophisticated distributed, technological national resource – the telecommunications network.
The final transition was towards customer experience management; utilising the compute resource in the handset to monitor and control the quality of experience of the consumer. Now, management of telecommunications networks focuses on social impact, revenue impact and public image as much as technology.
So, what does this mean for Smart Grid? Well, instead of re-inventing the wheel, why not look at what the telecoms industry has achieved over the last 30 years, as they went through the same type of technological and social transformation that the energy industry is going through, only now?
It all starts with the intelligent devices in the field, just like in telecoms 30 years ago – select the Smart Grid solution providers that give you visibility of the infrastructure, the consumer’s service, the ability to control the service and the flexibility to adapt through software and firmware configuration. Focus on the parts of the infrastructure where visibility is hardest to achieve, such as the low-voltage grid, because, these are the areas where change is coming fastest, and will require agility to respond through remotely configurable devices.
NES supplies the most sophisticated and secure Smart Grid solutions available today, and its solutions form the foundation for any energy provider seeking to follow the path set by the telecommunications industry, as they transition from being a technology focused enterprise to a business driven by social impact, sustainability, security and customer experience.
Cybersecurity efforts have, by and large, neglected the newly built “smart” infrastructures in power grids. Emil Gurevitch, Security Engineer and Hacker, explains why they will be targeted, and what utilities should do to plan for the inevitable cyberattacks.
Smart grids will reduce emissions and create a wealth of savings for utilities, but the fast-paced adoption of new technology comes at the cost of increased risk of cyberattack.
Industrial control systems have been subject to such attacks, and significant effort has been put into securing them as a result. However, new, emerging technologies, such as smart meter infrastructures, have yet to be battle-tested, and utilities should expect them to inevitably have weaknesses.
Despite this, they are installed into the grid in an effort to keep companies competitive in the race to the smart grid, prioritizing increased operational efficiency and new business opportunities over potential bad actors.
You may think that comparing smart meters to, say, the SCADA for substation control, is a bit of a stretch. And, to some extent, you would be right. However, if you take an adversarial look at it, you will probably find, that they pose a much greater risk than expected.
Security Architect and Hacker
For example, utilities use smart meters to remotely switch power off, they use smart meter data in mission-critical processes that go well beyond billing, and they make significant investments to upgrade the physical grid infrastructure with communications networks that bind it all together. Utilities expect these newly built computerized infrastructures to gain new capabilities over time via remote software updates, thus increasing the return of investment. From an attacker’s perspective, we are looking at a system that we can misuse to switch power off, a system we can manipulate to disrupt or derail a utility’s mission-critical processes, and a centrally managed system of millions of connected devices that we can take control of and reprogram.
In the EU, Member States are required to implement smart metering. The latest report from the Joint Research Centre says that Member States have committed to rolling out close to 200 million smart meters for electricity by 2020.
Efforts to secure these new technologies have largely focused on trying to prevent attacks from being successful. This is of course important, but new stories of cyber attacks hit the headlines almost every day, and it should be abundantly clear by now that not every attack can be blocked — utilities must therefore invest in early detection and incident response, especially for their newer technologies that may not be procured, developed, or operated with a bad actor in mind.
Making detection and response a core part your grid is crucial to protecting yourself and your consumers, and are cornerstones of creating a truly smart grid and city.
So, how can we ensure detection and response is effective?
A starting block is to work through a series of cyberattack scenarios and assess how your technology and processes hold up. Simulating them in practice and training for them can be a cost-effective way to find areas of improvement.
Here are three example scenarios that utilities should consider, and ask themselves “how do we detect this early?” and “how do we recover?”.
They are described from the perspective of the attackers and are intentionally focused around the often-neglected smart meter system.
Keep in mind that these attack scenarios are likely to happen in parallel during a real cyberattack. For example, in the 2015 cyberattack on a power grid in Ukraine, attackers took control of substation control systems and switched off power, they bricked grid devices by sending malicious firmware updates, turned off backup power supplies, erased files on servers and workstations, and even flooded a call-center in an attempt to prevent people from learning about the incident. These individual attacks were centrally coordinated, and some of them were probably launched in parallel. This is how real cyberattacks work.
Hacker Scenario #1: Power Outages. We work for a nation state and our mission is to inflict power outages. We hack our way into the utility’s centralized smart meter control center, wait until the low-voltage grid is under high load, and then we start sending out disconnect commands to all the smart meters in the field. In the middle of the attack, we find that the utility has built-in limits on the number of disconnect commands you can launch from the central system within a given time period, but we find a way around it — like we always do — and remotely change the power thresholds on the meters instead, thus causing the meter to hit the limits immediately and disconnect.
It should be noted that, at the time of writing, there are no known successful cyberattacks misusing the smart meter system to switch power off in the grid.
However, like the flow of electricity, attackers follow the path of least resistance. They will go through the smart meter system to achieve their mission if that is easier than to breach the SCADA for substation control.
Hacker Scenario #2: Manipulating Business Processes. This time, our mission is to manipulate a series of processes that base their decisions on the information received from the smart meters in the field — such as signal and power quality levels used for fault detection and load balancing. We hack our way into a couple of carefully chosen, Internet-connected control nodes managing around 2,000 smart meters in total. We then start making slight but controlled changes in the information reported back to the utility, and ultimately achieve our mission.
Of course, smart meters are often not just used for billing consumers for the electricity they use. Smart meters are increasingly being used as grid sensors, monitoring the conditions of the edges of the grid. This is an extremely insightful data point from a Smart Grid perspective. By manipulating this data, attackers can directly change the view of a grid to their advantage.
Hacker Scenario #3: Stealing and Selling. We work for a criminal organization. The mission is to steal utility assets and sell them back to the utility (similar to a ransomware model). We are looking to cash out as much as possible, and as quickly as possible. So we go after what a utility relies on the most to operate: data and grid infrastructure. We outsource the development of new malware targeting smart meters, launch it, and take control of thousands of smart meters. Then we change their security keys, pushing the utility out of their own infrastructure. We also rent a classic ransomware service and launch a campaign against the utility’s central system, stealing large amounts of data. We then demand a ransom in return for the access to the hijacked smart meters in the field, as well as the data we stole. We then wait for the payout in ’Monero’ to come in.
Although ransomware campaigns are common, there are no known successful attempts at pushing a utility out of their own smart meters with ransomware. However, it is important to at least acknowledge that all of these new power grid infrastructures are essentially large, distributed networks of computers that can be hijacked for financial gains.
The need for early detection and response planning
So, how would your utility hold up in these scenarios? In an environment with increasingly resourceful attackers and an increased attack surface, do utilities have the right technology and tools to detect intrusions early?
Attacks can be significantly hampered by early detection and pre-planned disaster response playbooks. However, as of right now, solutions aren’t being applied quickly enough to newer grid technologies.
It’s like having smoke alarms in your house — you want to be able to prevent a big fire from happening by knowing there’s smoke. Utilities need to begin installing their cyber security smart metering ‘smoke’ detectors.