On December 23, 2015, hackers executed what is considered to be the first successful attack on a power grid when they took control of utility systems and knocked out power to some 225,000 customers across three distribution companies in the Ukraine for several hours. While the damage from the attack was limited due to the relatively short duration of the outage and the number of people impacted, it was the coordination and sophistication of the attack that left utilities around the world justifiably concerned.
The hackers, presumed to be Russian based on the IP addresses of the computers used in the attacks, used spear phishing and malware to gain a foothold in the IT networks of the three utilities and harvest credentials to access their industrial control system (ICS) networks. From there the hackers were able to seize control of the SCADA systems and turn off substations; disable or destroy various IT infrastructure components; and simultaneously execute denial-of-service attacks on the utility call centers to prevent customers from reporting or receiving important information.
The events in Ukraine raised the stakes for grid security to a new level. For so many reasons, such as our vast reliance on electricity and the likely ripple effects through the economy, health care, transportation and infrastructure, a successful cyberattack on the U.S. power grid would be a highly disruptive event, likely costing billions of dollars in economic damage while threatening public safety in myriad ways. The U.S. response to such an attack could also alter the geopolitical landscape or lead to military conflict.
That’s a lot to worry about. And against this backdrop, it’s understandable that discussions of cybersecurity investment and strategy at utilities often take on the aura of FUD: fear, uncertainty and doubt. What are the worst-case scenarios, how likely are those scenarios to unfold, and what is a prudent amount of effort and investment to manage that cybersecurity risk? Perhaps the more challenging question: how are investments in cybersecurity properly balanced with investments in reliability and resiliency given that weather events, thus far, cause far more disruptions and outages than cyberattacks?
In other words, cybersecurity too often comes down to a “siloed” question of how much to invest in “insurance,” amid multiple parties effectively competing for a finite wallet. How much should I spend to protect against a serious event that may or may not take place vs. investing in “opportunity” to drive future growth?
The key point I’m making is that in an Internet of Things (IoT) world, the cybersecurity discussion should take place in the broader context of business strategy and technology road mapping. At Atos, we’re finding that both analytics and cognitive computing, particularly the use of artificial intelligence (AI) techniques such as machine learning and neural networks, greatly enhance traditional IT-based security tools if approached in the right way. Here’s why:
The U.S. power grid is a gargantuan machine. More than 3,300 utilities delivering electricity from 7,000 power plants over 200,000 miles of transmission lines, through more than 55,000 substations and 5 million miles of distribution lines. More and more of these assets are connected, monitored and controlled by millions of networked, digital devices ranging from synchrophasors on the transmission lines to smart meters at the customer premise, all creating new and potential vulnerable vectors for hackers to exploit or attack.
At the generation and transmission level, the cybersecurity standards and requirements developed by the North American Electric Reliability Corp. (NERC) starting in 2006 for Critical Infrastructure Protection (NERC-CIP) have established an appropriate baseline of cybersecurity consistency and rigor to the bulk power system.
The distribution system is a different story. Here, the commissions and the utilities they regulate are struggling with both the technical and budgetary/resource challenges of securing the distribution system, which is connected to more and more distributed assets and intelligent devices. Many utilities, especially smaller ones, lack the financial or technical resources to adequately safeguard their systems. There is also an acute need for jurisdictions and utilities to share information about best practices, standards and the evolving threat environment.
So how can analytics investments be leveraged to enhance cybersecurity? Traditional IT-based security tools, such as firewalls, encryption and authentication technologies, do not consider or report the physical or behavioral information of the device or asset they’re protecting. One of the fundamental challenges in protecting your infrastructure is understanding your surface area of risk and reducing the vulnerability of those assets, i.e. knowing when an attack is underway and on what device. What is the role of that device, the temperature, the pressure, the speed, and the state of connectivity, etc.? What is the baseline for these values, how can you detect abnormal, if you have no basis for normal? These behaviors and telemetry, all staples of operations technology (OT) or industrial IoT automation and business analytics, are also tremendously informative from a cybersecurity standpoint by enriching the data stream and improving situational awareness.
Technology providers are evolving their architectures to effectively detect cyberattacks by gathering information about the physical state of the power grid and the devices therein. They’re doing this by developing and deploying low-cost, IoT sensors, or by listening better to the systems they already have. The key idea is that the physical behavior of components on the grid can help determine when the grid is under attack by providing a redundant and complementary set of data points. Even if the attack is sophisticated enough to manipulate what is represented by a device or sensor (remember Stuxnet and the Iranian centrifuges), this analytics-based redundant source of data can mean the difference between detecting an intrusion in a timely manner vs. finding out only after significant damage has been done.
So, if you’re looking at cybersecurity and business analytics as separate, discreet endeavors, you’ll be leaving money, security and synergy on the table. This is a distinctly different conversation from the “FUD-based” cybersecurity discussion. When it comes time to discuss strategy and investment in cybersecurity or business analytics, bring the IT staff and the business users together. Seek out cybersecurity synergies between IT and OT. With the right partner and technology, you will find that you can improve cybersecurity, asset reliability, and business performance using many of the same dollars. And it will be a much more pragmatic and welcomed conversation than FUD.
About the author: Mazi Fayazfar is the chief technology officer for the Telecom, Media & Utilities group at Atos in North America. He can be reached at email@example.com. For more information, visit: https://pages.atos.net/digital-utility/