Confronting the Smart Grid's Cyber ChallengePlanning, Coordination Needed from the Start
The complexity of the smart grid introduces a cybersecurity challenge that isn't easy to overcome.
The smart grid is unlike other critical information infrastructures in that millions of nodes located in businesses, government installations and residences connect to the grid, a collection of networks that employ technology to analyze supplier and consumer behaviors to efficiently distribute electricity. And each node introduces a point for hackers to exploit to attack the grid.
Konstantinos Moulinos, a network and information security and critical information infrastructure protection expert for the European Network and Information Security Agency, says developing the security and processes around the smart grid has to start as early as possible, otherwise the system is setting itself up for potential failure.
"We need more coordination and more cooperation," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below] on the European smart grid as well as recommendations for member states to secure smart grids.
Moulinos points to a pan-European approach which would ensure smart grid security measures are conducted in a coordinated manner. "I would say that standardization is the best way to set up the rules of the game from the very beginning," he says.
Regulation also plays a role in the smart grid because it places structure around the initiative, Moulinos says, acknowledging that specific risk-assessment methodologies need to be developed to identify the use-case scenarios and different risks that are involved in the smart grid.
"Security is a target," Moulinos says. "[But] there's no absolute security. We're trying to mitigate the risk. We try to find the tools in order to mitigate this risk."
In the interview, Moulinos also explains:
- The threat smart grids face from those who seek to cause havoc in electricity distribution;
- Why it's crucial to develop information security certification schemes for products for smart grids;
- What must happen next to assure smart grids are secured.
Moulinos is an expert at the security policies section of ENISA's technical department, having been detached from the Hellenic Data Protection Authority, where he had worked for 10 years as an information systems auditor. Moulinos has been awarded a diploma in informatics, a master of science in information systems and a Ph.D. in privacy enhancing technologies. He has more than 20 peer-reviewed publications covering areas such as information and network security, data protection and privacy-enhancing technologies.
European Power Grids
ERIC CHABROW: Could you please tell us a bit about the power grid in Europe? How interconnected is the grid among member states, and how much of power generation and distribution is operated by the private sector and how much by national governments?
KONSTANTINOS MOULINOS: I can tell you that there are a lot of differences among the member states, as the owners of the power grid and the different ways that this power grid is operated. There are countries, like Greece for example, that the power grid is totally public, it belongs to the public, and in other countries the grid belongs to the private sector. Of course there are great differences in terms of the maturity of each member state. There are some member states that are more advanced, especially in the area of security of the smart grids.
CHABROW: Are the grids interconnected among the various nations in the European Union?
MOULINOS: Yes, of course. They're interconnected. I know there's some research to identify the risks in the interconnection points. We're still in the infancy of the research.
CHABROW: How would you characterize the cyberthreat to the power grid in Europe, and how prepared are the member states and utility companies for a cyberattack?
MOULINOS: In both the traditional power grid and the smart grid, because the smart grid in some countries is not yet implemented. We're now trying to wake up, to put it in words. Although there are a lot of efforts, we still need more coordination and more cooperation in this area.
CHABROW: You just touched on something, making reference to the term power grid and smart grid, and of course they're not the same. In your report, one of the challenges defined in developing cybersecurity standards for the smart grid is agreeing on a definition of the term smart grid. How do you define a smart grid?
MOULINOS: There are a lot of different definitions for the smart grid. There's one given by the European Commission. I would say that in a few words a smart grid can be defined as an upgraded electricity network with two-way digital communications between the supplier and the consumer. Intelligent measuring and monitoring systems have been added.
CHABROW: Are there many smart grids already in existence in Europe or is this still in it's infancy for most of the continent?
MOULINOS: There are some countries which are more advanced like Spain, the Netherlands, UK and Germany, and they're trying hard to find their own way. They try I would say more or less to pull the rest of the member states.
Developing Consistent Standards
CHABROW: In Spain, Netherlands, UK, Germany, are their standards similar when it comes to the smart grid or are they all over the place?
MOULINOS: Yeah, they're all over. This is an important issue. There are different standards which is why we need more coordination and more cooperation. We don't have a pan-European standard and this is something that was raised during ENISA's last workshop, which was held in Brussels the 27th of June on the security certification of smart grid components. This was one of the key findings of the workshop, that we need a kind of pan-European approach in the area of smart grid.
CHABROW: And why is that important?
MOULINOS: Otherwise, the industry will grow up in an uncoordinated manner and when a standard come up, those that do not follow the standard will have some problems. I would say that standardization is the best way to set up the rules of the game from the very beginning.
CHABROW: Is it still relatively early in the smart grid?
MOULINOS: Yes, of course.
CHABROW: You had mentioned that some of the owners and operators of power systems in Europe are privately owned. In the United States, there's a debate going on in Congress in which one side calls for some government regulation on the most privately-owned critical information infrastructure and the other side opposing any regulations, saying that these industries know how best to secure themselves. So far, that disagreement has held up passage of comprehensive cybersecurity legislation. Does such an aversion expressed by opponents to government relation, especially in the areas where there's private ownership of utilities, exist in Europe?
MOULINOS: For the moment, I wouldn't say that there's an opposition to having regulation, but due to the fact that there are different activities and sometimes overlaps, we feel that if this kind of situation continues for a long time then we'll have an uncoordinated development. I think that regulation has to play its role in order to put some structure in this activity. When I say regulation, I mean in regards to the security of the smart grids because these are - as I said - only with the security issues. For example, in Europe we don't have enough legal text in regards to security of the smart grid.
CHABROW: And you feel there should be more?
MOULINOS: At some point. One of the important issues raised during our workshop was that a reasonable legal framework should be developed so as to put some structure into the coordinated activities and on the other hand to give incentives for continuous improvement to the industry.
Smart Grid Cyberthreats
CHABROW: In a smart grid, there will literally be millions of nodes consisting of smart meters in businesses and homes. Doesn't this present a big cybersecurity challenge to hurdle, giving those who might want to disrupt electricity flow an entry into the electrical grid?
MOULINOS: Of course. The smart grid is one of the most complex things I would say, and this is exactly one of the main differences with other different critical infrastructures. For this reason, specific risk assessment methodologies have to be developed and there are activities which I would say for the moment are ongoing that are trying to identify the use-case scenarios and different risks involved in that complex system.
CHABROW: And do you believe it can be achievable to provide the kind of security needed?
MOULINOS: As always, security is a target. There's no absolute security, as you say. We're trying to mitigate the risk. We try to find the tools in order to mitigate this risk.
CHABROW: The nations that have smart grids already, have they found these tools or is this something they're still looking for?
MOULINOS: They're trying to find these tools. We know some activities and we participate and actively support these activities. Still, I would say in a risk phase we wait to see the results.
CHABROW: One of the recommendations calls for the development of security certification schemes for products and organizational security. Why is this important and what steps should be taken to implement this recommendation by those responsible for smart grid security?
MOULINOS: This is an open question. The organized workshop process weeks ago on the security certification of smart grid components, many issues were raised; a lot of different voices were heard from the audience. There's no - for the moment at least - clear roadmap for the certification. I think that we're on the right track because there are some initiatives.
For example, there's an initiative which is a project that deals with the grid infrastructure protection and there are groups there related with smart grid security and SCADA security. One of the activities of this group is to register all the security testing labs across Europe and the certification facilities across Europe. I think that this is a first step. We'll have to identify all facilities and all the providers of security testing and certification facilities.
After that, we will have to deal with other issues. For example, an important issue raised in the workshop was if we need certification for all devices, or for some devices and for others we need a lighter approach, I would say. These are all interesting questions and still open and I think we'll have to resolve them in order to develop the certification of the smart grid devices and security certification across Europe.
Another important issue that was raised is the creation of a pan-European protection profile, or the minimum security requirements, not only for smart meters but for other devices involved in the smart grids.
CHABROW: Among your recommendations is involving CERTs, Computer Emergency Response Teams, to play an advisory role in dealing with power grid cybersecurity. Your recommendations say it's better to expand the responsibilities of existing CERTs rather than establish a CERT specifically focused on the smart grid. Why so?
MOULINOS: Based on the findings of the report, there's a lack of member states to have a central authority to deal with computer emergency response capabilities. Most of the member states are keen on having or expanding the already existing computer emergency capabilities with ICS smart grid capabilities. This is one of the key findings of the report. It's better to start with small steps and expanding the [existing] capabilities would be much easier than having a central authority for doing this.
CHABROW: Plus, the infrastructure is already in place to help out.
MOULINOS: Although, there are some challenges in expanding this infrastructure, but according to their opinion it would be much more preferable to start with small steps.
CHABROW: So what happens next?
MOULINOS: There's a need for cooperation and coordination because otherwise the security of the smart grid would develop in an uncoordinated manner so we can see there that the first step would be to have a stable and uniform legal framework in regards to smart grid security around Europe. Of course, there are some other steps related to the recommendations but I think that the most important is this one.