I had almost finished writing this blog when I attended a conference by J. C. Michaca, CEO from the company Cyber Resilience Sàrl. It addressed all the elements I wanted to point out, but also reinforced my convictions about the necessity of continued information efforts. The potentially disastrous effects of a large scale criminal attack on the electrical grid have been convincingly described in the thriller « Black-Out« . It is not only fiction. One example among many: in spring 2017, hackers stayed undiscovered for 2 months in the Irish TSO EirGRid, time during which they were able to access unencrypted communication and introduce malwares.
The electrical network is built for reliability but was never designed to withstand cyber-attacks on Power generation or Substations. If the coming grid evolution towards a « smart » decentralized production system implies a greater flexibility and resilience, it also increases the conmplexity and attack surface. A 1-1 application of existing IT solutions is unfortunately not sufficient, due to inherent differences between electrical grids and IT systems, such as:
Different security objectives: Cybersecurity objectives are classically described by the CIA concept: Confidentiality, Integrity and Availability of data (by order of priority). In electrical grids, Human Safety comes always on top of the list, (malfunctioning devices can endanger life). Second comes Availability (of a reliable & quality energy source and of the necessary operational data). Then Integrity (of substations / power lines / data) and Confidentiality.
Lifetime of devices: Devices in an electrical network have an expected lifetime of 15 to 30 years. Substations and networks thus possess heterogeneous legacy devices, not designed with cybersecurity in mind, running decades-old proprietary software and various communication protocols. Even in new smart grids, the wide range of SCADA and embedded systems from multiple vendors and various levels of security, increase the risk of a compromised supply chain.
Physical exposure: Electrical networks are deployed over vast, cross-border geographical areas. Critical intelligent devices, far from being centralized, sit at the edge of the network, some in unmanned, remote substations. Their access is relatively easy: intruders can compromise the system by exploiting the trust relationship between machines. In such systems, edge nodes need the same level of protection as central devices.
Technical and economical resource constraints: Applications often demand a response time in the order of the millisecond, though with limited computational resources. In addition, the grid has stringent latency constraints. Software solutions to cybersecurity must take these challenges into consideration. At the same time, low electrical energy prices imposes economical pressure when infrastructure costs are growing. Security is considered as an additional cost factor.
Human factor: Electrical utilities build up a diverse ecosystem, from small local community-owned (the more so in a decentralized smart grid model) to large trans-national corporations, with probably different level of risk awareness and preparation.
Risk mitigation
In this context, what can be undertaken towards an improved Cyber-resilience? The first step in problem solving is recognizing its existence. Awareness has increased, but misconceptions or reductive views about technological answers are still existing. There is no such thing as THE full-proof solution There is instead a puzzle of pragmatic actions which altogether constitute an adapted answer:
Continued Information and Education: This includes actions such as training and awareness-raising programs, simplifying the exchange of information with Expert Groups and Authorities, fostering coherent responses by improving coordination @ national and international level.
Clarify / enhance the legislative and normative framework: The list of norms and standards adressing specific cybersecurity aspects in Power systems is long. It must and will evolve. As the time-scale of standards is much larger than the time-scale of cyber threats, recommendations have been made at EU level to ensure that the normative framework will (among others) be system oriented, rely on functional requirements (not short-lived technical requirements) and consider the expected lifetime of products.
Technological development: As mentioned above, technology is in itself not a sufficient answer. But necessary to cover protection and detection. In a complex landscape, authentication and authorization with e.g. a blockchain technology are certainly key to future systems, as well as Big Data analytics for detection purposes.
Introduce Cybersecurity in the product life cycle: Cybersecurity and cybertrust must be considered in product development, e.g. via security design reviews. Devices at all levels must be as far as possible hardened, using solutions adaptable to long-term threat evolutions (ideally to be formalized in supplier’s agreements). Cybersecurity of the network must also be considered at foundation. Different existing or emerging technologies allow for a greater resilience of the system (Improved network visibility thanks to better measurements @ transmission and distribution level, refined modeling, islanding, regional black-start, self-healing capabilities).
Organize, Plan & Manage: At company level, cybersecurity should be approached in a holistic view and regularly challenged. This implies hardware and software asset management, risks assessment, planning for disaster recovery and business continuity with emergency scenarios tested in real time.
Conclusion
Decentralization of energy sources and consumption is a possible scenario for the 21st century. It certainly is an ongoing macro-trend for the electrical network and allows for more flexibility and adaptability, key words for a future-proof T&D system in parallel to conventional cyberscurity approaches. As can be seen from biological systems, diversity is a possible strategy towards more resilience. The fact remains that there is no « magic button ». Improvement comes from long-term multi-level actions, « considering people, processes and technologies, and based on leadership, experience, knowledge and best practices« . In all cases, it is however necessary to keep in mind the KISS principle.