The energy sector has become a primary target for cyberattacks. This means that besides the ongoing transformation to smart grids there is, in parallel, an increased need for cyberdefense. However, deploying a smart grid without suitable cybersecurity might result in serious consequences; such as grid instability, utility fraud, the loss of user information – which would be a serious GDPR breach in Europe – or, in the worst case, could result in fatalities (if smart homes lose power in the middle of the winter and people get hurt by the cold).
Due to the various architectures that assure communication within the smart grid, it is a challenge to design an advanced and strong cybersecurity concept that can be smoothly deployed to protect as well as operate securely and efficiently. Smart grid operations also cannot be handled with the same amount of people as in the past due to a lack of cybersecurity experts in the market; as such, there must be another solution. This is where the latest cybersecurity technology around security analytics, orchestration and response (SOAR) comes in handy to achieve a higher level of automation and reduce the risks as well as response times in the case of incidents.
Critical network focused SOAR-technology collects and stores alerts from traditional and new grid elements and then uses correlation or analytics to provide a consolidated and prioritized view of overall threats and risks. Importantly, the risk assessment is based on the knowledge and context specific for smart grids and does not leverage standard IT analytics. As a result, companies with grid experience must be involved to make the proper risk evaluation. In the worst-case scenario, a false risk assessment can lead to huge investment into a so called false-positive, or a threat which was not a real threat.
Based on the risk assessment the operations team can then initiate an automated workflow – either a fully or partially automated response. Nowadays, these responses are pre-built playbooks from a workflow engine as this enables incident response teams to reduce labor and mitigation costs, while also eliminating confusion and frustration. These playbooks are carefully developed, evaluated and verified. Then they can be executed – at the touch of a finger – many times.
Such a level of automation not only increases security but also reliability, as playbook execution is less error prone and reduces the chance and duration of security-caused service outages. By applying all of the above at machine speed, these solutions reduce mean time to resolution (MTTR), with some able to automate up to 80% of repetitive, manual incident response activities. This significantly increases the number of alerts security teams can respond to, which then once again helps to increase reliability by reducing duration and impact of security incidents.
Another way security SOAR systems help smart grid operators achieve a higher reliability is with the continuous auditing of security settings in modern grid devices. Many network outages or degradations can be traced back to manual network change activity. During an upgrade, there may not be any post-upgrade checks to ensure the configurations are meeting all security policies and regulations.
In many cases, industries observe typical error rates between the target configuration and the actual security settings — ranging from 2- 20%, even following a manual audit. In addition, manual audits are typically ineffective due to large amounts of parameters (e.g. 100,000s of configurable parameters). Because of this, testing times are elongated or invalidated due to incorrect security configurations.
Configuration errors can lead to silent outages, degradations and low grid reliability. This, in turn, could cause fatalities in any smart city network, which includes traffic signals and cooling/heating management.
Detection of such security deviations, automated mitigation via workflows, non-intrusive and clientless patch- and update-system reduces the risks of security incidents, which increases availability and reliability. Therefore, more and more smart grid companies apply automated audit and the following analysis of security configuration parameters in the grid. Parameter and inventory settings are collected in real-time, and then a data integrity analysis is performed by comparing the IS-state with the security policy and/or regulator-guidance.
The benefits of this approach for smart grids are manifold. Security incidents can be very costly for grid operators; not just from the loss of revenue from disrupted services, but from recovery and restoration costs, potential lawsuits, damage to brand reputation, compensation to users and non-compliance penalties.
Nils Ahrlich has over 19 years of experience in security, IT and telecommunications. Currently he is the head of End-to-End Security Solutions at Nokia Networks, based in Hamburg, Germany. The Security area covers all major operator technologies and focuses nowadays onto 5G and Cloud as well as industrial use-cases. Prior to his current role, Nils headed the Security Service Line as part of the Professional Service of Nokia Siemens Networks. In that role he led the worldwide security business, developed carrier-specific solutions (eg LTE Security) supporting the company’s strategy to ensure that operator networks maintain secure.