The Future of the Grid
Information in this chapter:
No one knows what the future will bring, but by looking at trends in malware activity, hacktivism, cyber espionage, and advanced persistent threats—as well as trends in regulations, industry activities, and cyber security technology—we can certainly speculate. This chapter takes a step away from fact and delves into the nebulous world of conjecture, supposition and hearsay: not everything here is as it seems!
The challenge of making predictions
Making predictions, in particular in the world of technology, is naturally fraught with numerous examples of those much cleverer than myself getting things frightfully wrong. Some of these examples include Thomas Watson, president of IBM, who in 1943 apparently said “I think there is a world market for maybe five computers,” or “Television won’t be able to hold on to any market it captures after the first six months. People will soon get tired of staring at a plywood box every night,” according to Darryl Zanuck who was an executive at 20th Century Fox in 1946.
Now of course, the purpose of this chapter is not to present examples of the worst technology predictions,1 regardless of how amusing they are. However, it is somewhat difficult to predict what the future of the Smart Grid, and in particular from a security perspective will be like. The Reason? Well because much of the content proposed in this book is something we HOPE will be included within the modern grid. Just to be clear, this is not necessarily something that we hope will be part of the Smart Grid for professional purposes, or with a view to achieve financial gain, but really as consumers. Therefore, the future of the grid and in particular the cyber security and privacy considerations must look to build assurance into the design of new implementations and regularly assess the threats to ensure that any new risks are adequately managed. This is what we have presented in this book, with a range of technical and process based controls that should be incorporated into the modern energy grid.
This of course makes this chapter somewhat redundant.
However what if? What if security and privacy controls are not incorporated into the Grid? What would our future look like? This of course is moving into the world of predictions and makes us somewhat doom merchants, which is not the intent. Moreover, we are then moving into the world of non-fiction, or are we?
An alternate world
I remember a joke I was once told, about a very simple process of ordering a pizza over the telephone. At the time, I simply discarded it in the mental bin of mildly amusing anecdotes but today it demonstrates the importance of privacy.
This is of course a joke. It is not intended by any stretch of the imagination to propose what our world will look like, however let us consider what will happen should security and privacy controls not be integrated into our daily lives, and the implication this can have on society.
Value of personal data
Ask yourself a simple question, who currently has personal information about me? Chances are that you can probably name 10, or maybe even 20 organizations, but deep down you probably know this is the tip of iceberg. As we move into a digital world, comprising of smart meters capturing how we consume energy, charging stations that also capture details, electric vehicles that capture details about every journey, there is no question that we will witness an explosion in the amount of personal data captured. Let us for a moment also consider that “Personal data are the new oil of the Internet and the new currency of the digital world” according to Meglena Kuneva, European Consumer Commissioner, March 2009,3 in other words data have significant value (to third parties). Some people may take offense to the reference to the third party; however, we have to be realistic that many people today simply do NOT understand the true value of their data. We have seen many examples of this, I personally witnessed a line 40 deep of people queuing to hand over data in exchange for chocolate. This disparity between the perceived value of personal data, compared with its true value, is probably at the widest it has ever been. This has allowed third party companies to utilize valuable information for the purposes of improving their bottom line through the offer tailored advertisements or other products/services to the public. The value proposition for the consumer at present is relatively weak, take loyalty cards as an example that in some cases offer less than one percent in return for detailed data about what subscribers purchase. So what does this mean in the world of energy? Well we briefly touched on examples in Chapter 4, whereby it would be possible to determine remarkable insights about what exactly individuals are doing in their own home simply from accessing information garnered from the smart meter. However, the vast majority of current and potential Smart Grid customers remain oblivious to such risks there are of course consumer groups that remain committed to opposing rollouts because of the potential privacy implications, for example:
– Stop Smart Meters4: A UK group who state “Smart Meters represent a globally-coordinated, locally-deployed Trojan Horse of our time. Health, privacy & safety at home now stand at a precipice. Now is the time to say ‘NO!’.”
– No to Smart Meters5: US group that warn consumers to “Just say NO to Big Brother’s smart meters.”
What is evident is that the majority of concern, in particular with regards to consumer groups opposed to smart metering relate to privacy concerns, and the view that third parties can gain unprecedented visibility into user activities. Of course this will be governed by Data Protection legislation, but the level of oversight provided by such legislation will be dependent on where the consumer actually lives. This is because Data Protection legislation is very country specific, with the exception of Europe that issues a Data Protection directive for member states. The Directive according to Article 288 “shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.” It is very unlikely that a common approach to data protection, and the preservation of privacy within the Smart Grid will be consistent globally, but there are some overarching principles we can take from the Data Protection legislations that focus on the protection of individuals with regard to the processing of personal data and on the free movement of such data. To preserve the privacy of consumers, there are principles that should act as recommended approaches for all operators. Adhering to such principles will begin to address some of the concerns raised by consumer groups (two of which were identified earlier).
Transparency
“Consumers have a right to easily understandable and accessible information about privacy and security practices.”6
The consumer or data subject should be informed about when their data are being processed; moreover, the purpose of this collection should be done for a specified purpose. What this means is that the personal data once collected, should only be for the purposes communicated and agreed with the consumer. Any other purposes should be prohibited unless consent from the consumer has been granted. In discussing the term agreement, from a legal perspective, this refers to the term consent and in particular the provision of explicit consent.
The objective to provide greater transparency is a critical component of a number of projects that fall under a broader consumer empowerment strategy. In the UK, the MiData project aims to “allow people to view, access, and use their personal and transaction data in a way that is portable and safe.” The project had originally intended to be voluntary for businesses to provide such data to consumers; however following a lukewarm response, a recent consultation considered the introduction of legislation to mandate such a requirement. The consultation closed on September 10, 2012, to provide their response, and any new measures would likely be included in the Enterprise and Regulatory Reform Bill that could become law in 2013. The outcome of the initiative will result in consumers of utilities being provided with details of their transactions. At present of those organizations that have signed up to the voluntary program, there are six energy providers. This will allow at the very least allowing consumers to view their energy consumption details and download into a defined format for viewing after. Such data should enable the consumer the ability to compare more accurately other energy providers and determine if they are overpaying their bills. This level of transparency is important, it is however worthwhile noting that additional key questions regarding transparency will be asked by the consumer, such as “Who else has access to my data?” It is unclear if this will be included within the Midata initiative, however regardless as this initiative is only related to UK organizations, this key degree of transparency is or will be important to all consumers. In the world today, data are sold to third parties without that value being realized by the data subject. In the future, however, it is anticipated for the Personal Data Economy to actually be “Personal,” in other words to include the wishes of the data subject. This economy puts the consumer in control and realizing the value of personal data for their own benefit. In other words, whereas today the value realized in allowing one’s data to be used is to be given access to a service, the future should see that data potentially being financially rewarding. Therefore, if I as a consumer allow a consumer electronics company to review my transaction data with the energy provider, then perhaps I will receive discounts, or some money toward a device that will save me money. For example, the company can offer me a washing machine that will save me money over two years, because it is able to schedule times to operate, and I can schedule my washing to be done during off-peak hours. More importantly in this scenario, it is the explicit consent of the data subject that authorized the release of personal data, and this was based on the consideration of the value proposition by the third party that was seen as beneficial to the subject. Further, there are start-up companies that are proposing the development of a personal-RFP (Request for Proposal) (P-RFP). This P-RFP allows the consumer to “publish” information about what they are looking to buy, with appropriate historical information. Organizations could then offer their products to such individuals, where the consumer could select the most attractive offer to them. There are even suggestions that organizations would pay for such data; in some cases (for automobile suppliers), the amount of money can be quite significant as such information constitutes a very “hot” lead.
Proportionality
There have been many complaints by consumer groups about the amount of personal data that have been collected by organizations. According to the European Network Information Security Agency (ENISA) study on data collection and storage in the EU;
“According to the principle of minimal disclosure, when building a system that employs personal data, it should be taken into account that there is always a risk that the system may be breached, in order to minimise the possible damage arising from an eventual breach. Thus, data minimisation is presented as a design principle that minimises risk to data subjects, and which therefore improves the protection of their privacy.”7
There will be additional safeguards required for particularly sensitive data, for example information pertaining to medical conditions, religion, etc. However, it is unlikely that this type of data will be used within the energy grid.
Future cyber security considerations
In the preceding paragraph(s), we considered the future of personal data and the possible demands of consumers within the modern energy network. Well at least two of the key principles. One could argue that this is the easy part! In other words, how do you define a breach of privacy? A straightforward answer really is where there has been an unauthorized disclosure of personal data.
Equally we don’t have to go particularly far to see how this works in practice with “Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.”8
When we talk about security incidents, it becomes slightly more difficult to quantify. For example, do we consider an incident something as simple as a port scan, or worst an unauthorized email being sent to a stakeholder? Other challenges when defining the rules for a security breach is what data about the incident really should be disclosed? For example, we cited transparency as critically important from a privacy standpoint, but in the security context does releasing information publicly potentially put the system at risk? This could lead to subsequent “copycat” attacks. Obviously, if the breach utilizes a previously unknown vulnerability, then other users that have the same systems would want to know, but even disclosing any vulnerabilities to a restricted group takes possibly critical information to third parties outside of the organization that may use that information for nefarious purposes. For example, on August 9, 2005, Microsoft released the MS05-039 patch to address vulnerability in the Windows 2000 Operating System. Four days later, the Zotob worm began to emerge on the Internet with reports of widespread disruption of infected computers around the world. It is common practice today for new exploits to be created by reverse engineering the patch that was released to close the vulnerability, and then introduced into security frameworks such as Metasploit.
Other questions that then will arise will be the concept of safe harbor, in the privacy perspective if we consider a simple example of how safe harbor is used would be the unauthorized disclosure of personal information. If the media that is used to store, the data were encrypted then the organization that lost the data may not need to report it. In the security context, defining the safe harbor rules will invariably be more difficult to define.
Of course, all of these questions are particularly relevant and become critical to the future cyber security considerations of the Smart Grid. New developments in legal/regulatory frameworks have initiated public consultations to consider the introduction of security breach notification. In Europe, the European Commission launched a public consultation that considered such a notification. This consultation was aimed at garnering views of recipients to provide their experiences to cyber incidents that would assist the Commission in the development of security breach notification legislation.
Notification is of course one important step toward improving cyber security, by identifying and learning from incidents. In the United States the approach also includes the development of a Computer Emergency Response Team focused on Industrial Control Systems (ICS-CERT), their responsibilities include:
“Industrial Control Systems Cyber Emergency Response Team
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a control system security focus in collaboration with US-CERT to:
• ICS-CERT Monthly Monitor Newsletters.
• Control Systems Advisories and Reports.
• Notable Critical Infrastructure News Feed:
• respond to and analyze control systems related incidents,
• conduct vulnerability and malware analysis,
• provide onsite support for incident response and forensic analysis,
• provide situational awareness in the form of actionable intelligence,
• coordinate the responsible disclosure of vulnerabilities/mitigations, and
• share and coordinate vulnerability information and threat analysis through information products and alerts.
The ICS-CERT serves as a key component of the Strategy for Securing Control Systems, which outlines a long-term, common vision where effective risk management of control systems security can be realized through successful coordination efforts.”9
The objectives of the ICS-CERT include to “coordinate the responsible disclosure of vulnerabilities/mitigations, and share and coordinate vulnerability information and threat analysis through information products and alert.”10 As systems become more connected, and more information becomes available, the attractiveness of targeting the energy grid will only increase. We have already seen this with the “NightDragon”11 report, where attackers extracted Intellectual property through coordinated attacks against oil, energy, and petrochemical companies. Cyber-related attacks against this sector will be expected to increase, but in the future scenario, the amount of data held by operators will be enormous and will not only include Intellectual Property, but also include considerable volumes of personal data, transactional data, data critical to the security of operations, etc. Therefore, improving information sharing mechanisms is important in order to gain better intelligence about the threat landscape. While improving intelligence is important to build a proactive, however, there is a clear need to implement strong security controls to mitigate identified risks. This has been discussed in earlier chapters but one can expect that as the defense for a grid improves as will the effort to identify gaps or identify new and innovative ways to circumvent the security controls will be attempted. Many of the Advanced Persistent Threats (APTs) today look to leverage social engineering to coerce employees onto clicking onto links that redirect them to sites containing malware of malicious software. They also have shifted away from operating system weaknesses to vulnerabilities installed by often overlooked client-side applications like PDF readers, animation engines, etc. This of course remains one of the most common techniques, and while security awareness activities can reduce this likelihood, it can never truly eliminate it.
The future of cyber security countermeasures
Perhaps the most interesting and exciting area of speculation involves how “the good guys” will be able to fight back against increasingly dangerous and sophisticated cyber threats. The security countermeasures discussed herein—firewalls, IDS and IPS, anomaly detection, whitelisting, SIEM et al.—can be used very effectively, but even in a well planned, implemented and managed security plan there will be gaps. How will the countermeasures evolve to fill these gaps? Refining the tools we have, inventing new ones specific to the Smart Grid and investigating new levels of interoperability will extend security into a more cohesive defense. The challenge is a difficult one: to extend the capabilities and collaboration of security tools while at the same time simplifying them, pairing them down so that they can be widely distributed and embedded throughout the grid infrastructure.
Making the tools we have better
One trend that has already begun is the tailoring of these existing products to better protect the specialized use cases within the Smart Grid. Support for Smart Grid protocols such as DNP3, 61850, and others has already begun to appear in network inspection products from companies such as McAfee, Subnet, Tofino/Hirschmann, Wurldtech, and others. Improving the latency of inspection technologies (making them less disruptive when deployed inline) and minimizing the chances of false positives through finely tailored rule-sets has also been seen. But what will we see that’s new?
The challenge seems clear: getting the security countermeasures further into the specialized devices and protocols used within the Smart Grid. This requires the reversal of a trend in enterprise cyber security, by minimizing technologies and miniaturizing software controls until they are small enough and lightweight enough to embed throughout the grid—from RTUs, reclosers, and relays all the way to transmission monitoring, transformers, and turbines. It also means focusing less on consumer computing and more on industrial computing—supporting Real Time Operating Systems (RTOSs) and inspecting real-time network communications. Again, there are companies doing this today, but it’s a nascent market with significant room for innovation.
Another area is in hardware-assisted security. Intel has already begun this work by implementing key technologies into vPro capable chipsets such as firewalls, client VPNs, anti-spoofing technology, and advanced chip-level technologies such as Trusted Execution Technology (TXT), Supervisory Mode Execution Protection (SMEP), and the Intel/McAfee coloration called DeepSAFE12 that protects the boot cycle in order to prevent persistent malware and rootkits.
New tools
What will the entirely new tools look like? There’s no way to know for certain, but there are tools that we, the authors, would like to see. For example, the applicability of application whitelisting is undeniable and helps protect end devices against malware. Can the same paradigm be extending to whitelist network operation? There are companies that claim “process control whitelisting” through the use of 100% pattern-matching. This is as close to network whitelisting as is available today, but it is in effect nothing but a very restrictive blacklist—a highly refined control system IPS. Still, the promise of process whitelisting is intriguing as well. Is it possible to whitelist communication flows, including packet and protocol contents, so that rules may be defined as “only the following DNP3 functions are allowed between this source and this destination, and all others will be blocked” would greatly simplify network cyber security throughout the SmartGrid, reducing the overhead and footprint of a network IDS in the same way that application whitelisting reduced the overhead and footprint required by antivirus.
An interesting development with the concept of whitelisting is the Sophia project.13 This is sponsored by the Department of Energy Office of Electricity Delivery and Energy Reliability (DOE-OE). As opposed to the concept of whitelisting within the endpoint as discussed previously, Sophia focuses on network traffic by extracting the source, destination, and ports between SCADA components and storing these conversations as a baseline list of “approved” interactions. This whitelist of conversations is then used by Sophia to monitor subsequent conversations and generate alerts any conversations outside of this list.
Just before publication of this book, Kaspersky announced a new secure OS is being developed for industrial control systems.11 Will this negate the need for other, embedded controls? Will such an OS be successful and adopted within industry? Will something else emerge? Only time will tell.
Point security versus a secure framework
No discussion of futurism would be complete without a talk about frameworks. There have been many industry initiatives around building a secure communication framework for Smart Grids—perhaps the most well-known being the IEC standards around substation automation (IEC 62351). This is valuable work and will go a long way to improving the safety and reliability of the grid. However, as discussed in Chapters 2 and 3 (“Smart Grid Architecture,” and “Hacking the Smart Grid”), we can see that securing the communications alone is not enough. The data must be protected (the data that are produced by a system as well as the data that are consumed by it), and the devices need to be protected. Is it possible to extend this concept to enable (and enforce) end-to-end security at the device, network (communication) and even data tiers? If such a framework is built—and the IEC is well on its way—is it possible to implement?
It is the opinion of the authors of this book that a framework approach will be the logical end-result of proper cyber security implementations and planning: as point products become deployed, the “3 × 3” security requirements will slowly become fulfilled until eventually an end-to-end protection profile has been achieved for key systems. In other words, frameworks are good, but they are by definition goals to be worked toward, and there is sometimes the need to stick a plug in the dyke versus re-architecting the whole dam. This more pragmatic approach can have the same end-result: as more and more assets and interconnections throughout the Grid are included, the cyber security posture will extend as well until, eventually encompassing all systems within the Smart Grid.
In other words, the goal of establishing a security framework across the Grid is a valuable, if somewhat lofty goal, but it is the ends rather than the means. A carefully assessed and implemented cyber security plan will eventually lead to a secure end-to-end framework within which the grid can operate, but an attempt to implement an over-arching framework as the first step of Smart Grid cyber security can delay the implementation of desperately needed security controls that are available and effective today (unless, of course, ubiquitous support can be obtained across all areas of industry and government—the challenge which the various standards bodies currently face).
We do need to mention the concept of continuous improvement, whereby the security posture of the Grid should be in a constant state of improvement. The attackers are constantly researching new ways to circumvent security controls; therefore, standing still is in fact going backwards.
Summary
You’ve seen the movies: we’re all going to have implants in our brains that rank us by serial number. We will be tracked by the Near Field Communication antennae in our smart phones, so that lights turn on and off as we enter and leave rooms, and so that the refrigerator can dispense the correct amount of beer or water depending upon our ambient temperature, stress level, and blood pressure. And as great as all of this will be, it will also be free for the world to see on a web portal or social media outlet.
But for right now, that’s still all fiction. By securing the Smart Grid is it exists today, and speculating only a little bit, we’ll be ready for the future when it comes.
References
1. PCWorld.com. The 7 worst tech predictions of all time [Available on the Internet]; December 31 2008. <http://www.pcworld.com/article/155984/worst_tech_predictions.html> [cited September 2012].
2. About.com. Political jokes [Available on the Internet]. <http://politicalhumor.about.com/library/jokes/bljokebigbrotherpizza.htm> [cited September 2012].
3. World Economic Forum. Personal data: the emergence of a new asset class [Available on the Internet]; January 2011. <http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf> [cited September 2012].
4. Stop smart meters UK [Available on the Internet]. <http://stopsmartmeters.org.uk/> [cited September 2012].
5. No to smart meters [Available on the Internet]. <http://nosmartmeters.org/> [cited September 2012].
6. The White House. Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy [Available on the Internet]; February 2012. <http://www.whitehouse.gov/sites/default/files/privacy-final.pdf> [cited September 2012].
7. European Network Information Security Agency. Study on data collection and storage in the EU [Available on the Internet]; August 2012. <http://www.enisa.europa.eu/library/deliverables/data-collection/Fat_download/fullReport> [cited October 2012].
8. National conference of state legislatures. State security breach notification laws [Available on the Internet]; August 2012. <http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx> [cited October 2012].
9. US-CERT. United states computer emergency readiness team [Available on the Internet]. <http://www.us-cert.gov/control_systems/ics-cert/> [cited October 2012].
10. United States Computer Emergency Readiness Team. Industrial control systems cyber emergency response team [Available on the Internet]. <http://www.us-cert.gov/control_systems/ics-cert/> [cited November 2012].
11. McAfee.com. Global energy cyber attacks: night dragon [Available on the Internet]; February 2011. <http://www.mcafee.com/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf> [cited October 2012].
12. McAfee.com. McAfee DeepSAFE [Available on the Internet]. <http://www.mcafee.com/uk/solutions/mcafee-deepsafe.aspx> [cited November 2012].
13. SOPHIA fingerprinting tool [Available on the Internet]. <http://sophiahome.inl.gov/> [cited November 2012].