by Lila Kee, GlobalSign
Ask an information technology (IT) security analyst about the greatest point of failure risk in the U.S. cybersecurity defense infrastructure, and almost instantly the reply is “the electric power grid.”
“Terrorists don’t need a bomb or a missile strike to wreak massive disruption on the grid,” said a security expert at an industry analyst firm recently. “All they need is access to a single user’s shared Web portal, which is likely secured by a single password, and with even the most rudimentary skills, they can shut us down.”
The energy infrastructure is vulnerable, as almost everyone who’s used a computer can relate.
A username and password login is required for just about any digital interaction today. Utility operational technologies (OT), which have been mostly offline proprietary hardware and software, have given way to IT approaches that use online software for analytics, load balancing, advanced metering, infrastructure supply chain management and remote monitoring. Much of these interactions are still managed via basic forms of Web-enabled login or passwords. Thus, the shift from OT to IT has been both an efficiency boon and a massive security incident waiting to happen. The shift toward a better connected and digitized electrical grid has introduced new security risks to the utilities’ operations and infrastructure, as well as to the data originating from Internet Protocol (IP)-connected customer base smart meters.
The Department of Homeland Security estimates there are roughly 200 utility industry incidents annually. Some intrusions are documented to have arisen from so-called single-factor methods of authentication (i.e., user name or passwords) where default passwords or the use of shared password or spreadsheets make it too easy to access the system, despite the long-standing warnings of security experts that passwords are not enough. And as the Internet of Everything (IoE) brings a whole new wave of smart devices, automated systems, wearables and other applications we haven’t even dreamed of yet, the potential sources of intrusions will rise further, entering not only our infrastructure, but creating risks of unauthorized access to information within our homes.
The Presidential Policy Directive of February 2013 to improve critical infrastructure security has placed additional urgency around cybersecurity. The plethora of vulnerability types and the myriad of solutions to address IT security, however, can be overwhelming to evaluate and prioritize. The good news for energy asset owners is that open, public-private partnerships are helping the federal government and the electric utility industry implement available methods to secure critical infrastructure. Solutions that adopt industry-driven and enhanced security standards, particularly around improved identity and access controls for the energy industry, are being implemented to address grid security needs.
NIST’s National Center for Communities of Excellence
As the lines between OT and IT blur, the electric utility industry is rushing to keep up with evolving threats, as just about any browser becomes a potential access point to a security incident.
The National Cybersecurity Center of Excellence (NCCoE), a member of the National Institute of Standards and Technology (NIST) family, was chartered in 2012 to further the rapid identification, integration and adoption of practical, standards-based cybersecurity solutions that could be deployed across the nation’s infrastructure.
Cybersecurity involves a broad range of domain expertise, from network intrusion detection and prevention, business continuity and disaster preparedness, employee education and training, malware detection and prevention, data loss prevention (DLP) and encryption.
Identity and access management (IdAM), however, is particularly important because it is the point at which an intruder gains access to an otherwise tightly controlled resource (see Figure 1).
It is also an area of intense innovation lately because the IoE ratchets up the potential for intrusions to occur faster and from more sources.
To help put a stake in the ground for security practices specific to the energy sector, the NCCoE solicited input to address several use cases designed to showcase typical identity and access work flows’ involving power generation, transmission and distribution of the power resource.
The IdAM case spotlights the multiplicity of access points in today’s mobile, Internet-connected environment and shows the potential vulnerabilities in just one tiny, typical utility service issue.
Each transaction in the work flow represents a potential area where an underlying technology component can help.
Vendors were invited to NCCoE’s Rockville, Maryland, facility to learn more about the IdAM initiative and to provide brief introductions to security platform components that can help address the areas of risk and to illustrate what first movers in the industry were doing. NCCoE’s objective is to lead an industry-driven development of a best practices guide that can be published and implemented by others in the energy sector in need of advanced identity and data management technology.
The NCCoE obtained more than 130 comments from 40 reviewers, which it has summarized and that will drive the next phase of its work, including feedback from the IdAM vendor community on a draft Energy Sector IdAM Security Architecture and recommended implementation models.
Vendors will provide graphical and narrative descriptions of where and how their products fit into the energy infrastructure, tied to implementation strategy.
The result is expected to be a guide that energy companies, including utilities, can use to address identity and access to IT and OT resources.
Energy-specific Certification Programs
In parallel with the NCCoE’s work, the North American Energy Standards Board (NAESB), an industry forum open to wholesale and retail national gas and electricity members and vendors, has been an early mover in achieving industry concordance on cybersecurity. The group put forth its first recommended standards on Web-based electronic commerce as far back as 1998, and its subcommittee on public key infrastructure (PKI) standards has worked for more than five years to expand utility-specific identity and access management initiatives.
PKI technology has broad applications in the energy industry, from addressing the fundamental secure socket layer (SSL) encrypted transactions among computer servers to expanding into smart metering and other smart services for back-end management and customer-facing applications, as well as secure user authentication.
PKI also provides for the mediation of trust by entities called third-party (public) certificate authorities (CAs), which must follow strict identity and security practices to authenticate devices and issue digital certificates to establish a reliable means of digital trust. PKI, an industry standard since the mid-’90s, had proved scalable, flexible and cost-effective for controlling many identities for authentication in the expanding universe of connected devices.
Much of the NAESB PKI standard uses concepts from the Federal Bridge PKI framework but has been modified for the electric utility’s specific needs and threats. When correctly implemented, it allows highly scalable and reliable authorization and automation to support millions of simultaneous transactions in complicated energy-related work flows, such as energy trading, off-peak consumption and smart metering expansion.
Underlying NAESB’s PKI security work is the concept of risk vs. implementation using a continuum of assurance levels from rudimentary to basic, medium and high (see Figure 2.)
The concept is to protect information of varying sensitivities differently, with an eye to balancing simplification and vulnerability.
Information at higher risk is provided with stronger authentication and verification processes; lower risk information uses simpler processes.
Since 2012, NAESB has required digital certificates to access the NAESB Electronic Industry Registry (EIR) Web registry, the central repository for information required to support commercial scheduling and transmission management operations in North America. NAESB also has a formal Authorized Certificate Authority (ACA) program that was developed by energy industry experts. By using an accredited ACA, energy participants such as utilities can implement strong authentication into a number of Internet-connected processes.
ISO New England
ISO New England, which provides oversight and fair administration over its regional wholesale electric power market, provides a great example of an early mover in the use of PKI to better assure the security of its operations while automating and streamlining to support a new class of remote software-driven solutions and smart value-added services.
ISO New England increased the level of identity authentication for it power generators, regional utility companies and other market participants that use the ISO New England’s eMarket portal.
ISO New England uses a NAESB-compliant partner, GlobalSign, to define a strong authentication approach for stakeholders while ensuring highly trusted, authenticated energy transactions.
Its primary uses of PKI are for secure communications and authentication and access control by its member companies and trading partners. At ISO New England, GlobalSign’s Enterprise PKI solution for digital certificates simplifies the vetting, issuance, authentication and revocation processes to issue NAESB-compliant trusted identities. With more than 5,000 active digital certificates, ISO New England also uses EPKI to enable a secure, single sign-on (SSO) experience for its “standard market design” applications, saving utility users time and hassle when interacting with ISO New England. This strong authentication eliminates entering and maintaining passwords while maintaining the exceedingly stringent security standards appropriate for controlling the flow of energy.
Digital certificates provide a convenient, cost-effective and secure means of user authentication and can be revoked if they are compromised or no longer valid, can provide an audit trail and legally binding assurances, and they allow for the implementation of additional transactional services such as time stamping.
Balancing Simplification, Vulnerability
Mediating trust is paramount to enabling safe commerce, communications, content delivery and the safe and reliable management and delivery of power from an increasingly automated electric utility grid.
Utilities are rapidly evaluating and adopting stronger security practices, but many providers do not know where to start.
The efforts of open industry forums and standards boards such as NCCoE and NAESB, which are made up of industry members, customers, vendors and government representatives, are providing a road map to important best practices, fundamental technology components and architectures that can propel greater efficiency and effectiveness in meeting a more demanding security challenge in the energy industry.
Lila Kee is chief product officer at GlobalSign, a trust service provider since 1996 and an NAESB Authorized Certificate Authority (ACA) to the electric utility industry. She is a member and participant in NIST-NCCoE Energy Sector Identity and Access Management Use Case Consortium and member of the Wholesale Electric Quadrant’s executive board.
Go to www.pgi.hotims.com for more information.More PowerGrid International Issue Articles
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com