'

Poor cybersecurity could destabilise increasingly complex energy grids

Securing smart energy grids will take a 'transformational' project, says CQR Consulting's Phil Kernick. Until then, we must 'hobble forward' with grids that are getting easier to take down.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

The future of smart energy grids, with automatic management of both supply and demand, is "looking really interesting", says Phil Kernick, chief technology officer at security firm CQR Consulting. But the current state of the technology and its security is a problem.

"The distribution systems and the generation systems were deployed a decade and a half ago, and are not scheduled for change for another decade and a half," Kernick told journalists at a roundtable on the cybersecurity of energy and other utilities in Sydney on Tuesday.

"With a few notable exceptions there are no standards that are deployed in the energy sector in the control environment. None. No governance. No policies. No procedures. No documentation. It's just built the way it was built over the last 20 years by the people who built it. It's the IT of the 1980s and 90s writ large in the energy sector today," he said.

"I don't think we can get there from here without a fundamentally transformative approach from the board level down of the energy participants ... All the energy participants are looking at this, and they all agree that [smart grids are] the future, but here's the big overriding thing. Please don't look at us now. Do not look under [the] hood."

A key problem is that there's no real training or qualification in operational technology (OT) cybersecurity, and standards such as ISO/IEC 27019 "Information technology -- Security techniques -- Information security controls for the energy utility industry" are only beginning to be rolled out.

That said, Kernick does see more integration of OT with IT, and greater awareness of cybersecurity issues in boards.

"Five years ago we couldn't convince the boards of these organisations to talk about, to even consider cybersecurity as a concept. Now they see it as directly linked to the revenue generation and profitability of the organisations," he said. But when they ask questions, they don't like the answers.

"The whole approach you've used up to today is fundamentally wrong, or at least it's not forward-looking."

Smart grids mean increasing complexity

Over the next few years, the key trend in utilities will be increasing complexity, "not just in the design and management of networks, but also the delivery of services", according to Ivan Fernandez, industry director at analyst firm Frost & Sullivan.

The electricity sector is a key example.

"The integration of renewables [in Australia] has changed the way business is being done in the energy space. In 2017, we had over 700 megawatts (MW) of renewable energy projects that became operational in the country, and we estimate that by the end of 2017 we actually had seven times that volume of projects under construction or with financial support," he said.

While Australia has seen growth in both rooftop solar, and in large-scale renewable energy projects such as wind farms and solar farms, Fernandez said that we're now seeing a "surge" in medium-scale projects among commercial and industrial customers.

Frost & Sullivan estimates that by 2027 some 40 percent of customers will have "on-site distributed energy resources".

Adding to the complexity is what Fernandez called the "mainstreaming" of smart meters. Of the 13.6 million meters in the national energy market, currently 3.3 million are smart, or almost a quarter. The Australian Energy Market Operator (AEMO) Power of Choice rules require new or replacement meters to be smart. And the grid itself is becoming more intelligent.

According to Giovanni Polizzi, energy solutions manager at technology company Indra Australia, Australians love their rooftop solar. It now represents almost one-sixth of the entire National Electricity Market (NEM). At the end of 2017, the NEM had 44 gigawatts (GW) of capacity, and an additional 7GW of rooftop solar.

With more smarts in the system, it's becoming possible to use so-called "non-network solutions" to manage generation and demand response to, as Polizzi put it, "shave off the peaks of demand, to defer infrastructure investment in distribution networks.

NSW transmission operator TransGrid, for example, has opened a tender process to procure at least 40MW of "demand management solutions" in Sydney's CBD. This would allow them to defer spending an estimated AU$236 million on new network capacity including a new 330kV feeder cable. Such solutions could include renewable generation, load curtailment, demand response, and battery storage solutions. Similar projects are are reportedly under way in Queensland and South Australia.

Polizzi said that another advantage of demand management is the response time. There have been cases in Australia in April when so-called "fast frequency response" took 0.28 seconds to react to signals, rather than the six seconds expected by the traditional ramp-up of generators.

"This is a real game-changer," he said. "No user actually presses a button. It's all done by the system."

How to take down a smart grid

Poor cybersecurity could destabilise the entire network. however. Kernick says that would be an easier attack to pull off than trying to shut down the heterogenous network of large-scale generators.

When storms destroyed transmission lines in South Australia in 2016, it triggered network events that led to the collapse of the state's power grid. At least you could see the cause, Kernick said. But when it's a cyber issue, there isn't the technology in place to immediately identify the cause of the grid's instability.

Power grids protect themselves with automatic switches that cut transmission when things go unstable. They wait a few seconds before reconnecting, but if the network is still unstable, they disconnect again and need to be manually reset.

Mapping out the generators' and power grid's control systems, and understanding them well enough to be able to coordinate an attack, is difficult. But taking over thousands of consumer-grade solar controllers might be much simpler, much as the Mirai botnet took over vast numbers of smart home cameras, DVRs, routers, and more.

Rapidly cycling the output from tens of thousands of rooftop solar systems might well take down the grid, as might cycling the demand from tens of thousands of smart meters.

Energy control systems may be decades old, but Kernick thinks that technology almost as old might be perfect for protecting them, or at least allowing them to "hobble forward a few steps": intrusion detection systems (IDS).

IDS has fallen out of favour as the complexity of IT systems has increased. There's so much happening on networks that the IDS is tuned down to reduce the number of false positive alerts, to the point that it becomes useless. This is also why vendors promote the machine learning and artificial intelligence capabilities of what are now branded as network visibility tools.

"[A control network] is not full of random stuff. It is full of very, very well-understood, very stable, and unchanging things," Kernick said.

"Control engineers are really big on instrumentation. They instrument everything in their systems ... If you've ever been into a control station, you'll know that there are hundreds of, they call them 'points', on the board ... But none of them, and I mean none, integrate cybersecurity into the same board."

Kernick's proposal would mean that abnormal network traffic to a piece of equipment would be treated much the same as an over-voltage or a fuel leak, not in a separate monitoring system run by an outsourced security provider.

"We're probably one major cybersecurity event away from a complete change of view of the whole energy sector," Kernick said. "Unfortunately I honestly believe it will take one of those before it'll happen."

Update at 12:40pm AEST, July 27: Clarification of technical details.

Related Coverage

Siemens, Alibaba Cloud forge industrial IoT partnership

Siemens will put its MindSphere IoT operating system on Alibaba Cloud as it aims for China. Alibaba gets a key industrial IoT partner.

Our hackers, who art in open source, deliver us from refrigerators

Hacked smart refrigerators turned evil? The open-source community has an 'insanely critical' role in developing security standards to prevent this chilling scenario, says Cisco's chief security officer.

SCADA security: Bad app design could give hackers access to industrial control systems

'Shocking' flaws show apps for industrial control systems are being built without enough thought for security, according to researchers.

How to protect our critical infrastructure IT systems while we replace our legacy control systems (TechRepublic)

Many of the legacy industrial-control systems that run our power grids and control our drinking water systems have poor cybersecurity, and it could take 15-20 years to replace them. Here's what we can...

Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?